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FEDERAL BUREAU OF INVESTIGATION 


Date of transc#iption 


: System Administrator, be 
Communications, Lo RrankTin~ “Avenues” Néw “York, , NY b7C 
telephone _ was contacted by ‘the ‘int rviewing 
agent. After beilig advised of the purpose of the @nterview, 
[provides thel folowing information: 
Echo Communications’ (Echo) Uniform Resource List (URL) 
is www.echonyc.com. The computer that acts as the server for 
this URL is a computer, runnin b7E 
Echo 
offers paid membership for anyone interested in its services. 
These services are advertised as a “virtual community”. Echo has 
about 1000 active members. All members have access to the server 
via Telnet, and most members access the server in this way. 
Furthermore, all members have access to the file “/etc/passwd”. 
Echo maintains about 8 computers on its local network, and about y b6 
4 of those are hosted by Echo for other individuals. i 
[J was asked _by the interviewing agent if she was 
aware of a file rn eee her system. [| 
verified that this file did, in fact, exist. She stated that she 
was not aware what the purpose of this file was, as it was not 
used as part of Echo’s normal business. She provided the 
interviewing agent a copy of the contents of this file. 
b3 
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Investigation on 10 / 14 / 98 at New York , NY 


Fite #| | Date dictated 10/14/98 ‘ 
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This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
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Date of transcription 10/1/98 


(Protect Identity), telephone [ 6 


[ contacted the interviewing agent. After being advised of . nm 
the identity of the interviewing agent, provided the 
following information: 


The New York Times hack that occurred on September 13 


b6 
b7c 
b7D 


concluded that 
he would contact the interviewing agent with any further 
information regarding 


Investigation on 10/1/98 at New York, NY (telephonically) 
b3 
File # Date dictated 10/1/98 b6 
b7C 
by SA | | bT7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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Date of transcription 11/10/98 


(Protect Identity), 


was contacted by the interviewing agent. After being 
advised of the identity of the interviewing agent, provided 
the following information: 


stated that he has been 


continued that 


[_Jeontinuea that [—d 
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This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
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[| concluded that he would be available for further 


questions. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 12/02/1998 


To: [| Attn: Squad 4 


From: New York 


Contact: SAL sd; 2.12. 38.4..3187 
approved By: [| LL] 
Drafted By: [_ 
Case ID #: [sss (Pending) 


Title: 


NEW YORK TIMES-VICTIM; 
CITA; 
00 : NY 


Synopsis: Set lead to interview 


regarding 


Enclosures: Forbes background article dated on New York Times 
hack dated 11/16/98; printouts from with a 
picture that is believed to be 

photo and information. 


Details: On the morning of September 13, 1998, the New York 
Times website (www.nytimes.com) was hacked by a group known as 
HACKERS FOR GIRLIES (HFG). The hackers altered the NY TIMES 
website with a webpage containing various text messages and 
graphic images. As a result, the NY Times took their computers 
off-line for approximately nine hours. The hackers erased the 
audit logs maintained on the computer. 


HFG has claimed responsibility for hacking the New York 
Times, NASA, MOTOROLA, PENTHOUSE, ELITEHACKERS . ORG and RT66.COM. 
fc 
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To: From: New York b7c 
Re: 12/02/1998 . | bE 


b6 


According to 
b7C 


over the Internet. 


| SSC [moved out tol __————cand 
a es ee 
}_______ and believed_to be in contact withL.___| 


ates with many of the area hackers including 


chet 


LEAD (s): 


Set Lead 1: 
— bs 
; b7¢c 
a 


Interview about any 
knowledge she may have regarding past hacking 
activities, the New York Times hack and HFG. New York plans to 
execute search warrants in the[___]division in the near 
future. If possible, NEW YORK request the interview be done the 
day the search warrants are executed. NEW YORK will contact 
fo |eegarciag the date. 


o¢ 


A Forbes reporter 

meets with the ringleader 
of the gang that hacked 
the New York Times. 
Here's an inside look 
into the picaresque 
underworld of Slut Puppy 
and Master Pimp. 


By Adam L. Penenberg 


lut Puppy and his partner in crime, 
Master Pimp, hacked the New York 
Times on Sept. 13 because they were 
bored and couldn’t agree on a video 
to watch. 
They are members of the cyberspace gang, 
“Hacking for Girlies” (HFG), and for six months 
this year operated out of Slut Puppy’s three- 
room condo, a place so tidy, so clean, it seemed 
positively unhackerlike. Of course, that didn’t 
mean there were no telltale signs that hackers 
typed here. The blinds were drawn, the only 
light source beamed from computer screens. It 
could just as easily have been 3 a.m. as 3 p.m. 
On the condition we protect his anonymity, 
Slut Puppy agreed to give this FORBES reporter 
an inside account of the group’s hacksploits. 


132 


“We were long gone wheg 


H4CKING 


1s he re RINE ASSAY IAN SALEM eb NERD 


If you operate on the Internet, you could gq 
hacked. The highwaymen of the Internet are 
loosely affiliated brotherhood (and sisterhood 
of techno-savvy people who make a hobby d 
puncturing what they regard as the pompositid 
of society. As far as breaking the law is co 
cerned, they think of themselves as kind of 
cross between the Scarlet Pimpernel and Robi 
Hood—harassing people they don’t likg 
thumbing their noses at the law. 

Members of the brotherhood took over th 
New York Times Web site for three hours o} 
that day, replacing the welcome screen with o 
tinged with nudity and obscenity. In a diatribg 
Slut Puppy roasted Times technology report¢ 
John Markoff for his coverage of imprison 
hacker-martyr Kevin Mitnick. 


Forbes ® November 16, 1994 


he pulled the 


To the people at the New York Times, 
the prank was sacrilege. When they dis- 
covered the hacked page and were 
unable to restore their own news con- 
tent, the Timesters were forced to shut 
down the site for nine hours. While 
Times technicians located and plugged 
security holes, the company reported 
the hack to the FBI. Joseph Valiquette, 
spokesman for the FBI’s New York office, con- 
firmed that the agency’s computer crime squad 
is investigating. 

Today the perpetrators are two of the most 
wanted fugitives in cyberspace. 

Although the Times prank may have been 
Hacking for Girlies’ most spectacular hack, the 
newspaper was not its first target. In April of this 


message 
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Slut Puppy’s 


to the New York 
Times may be 
obscene, but he 
insists, “We do 
have ethics.” 


plu g” 


year it penetrated Rt66 Internet, an Albu- 
querque Internet service provider. Over the next 
four months the gang claimed assaults on, 
among others, NASA’s Jet Propulsion Laboratory, 
Motorola and Penthoise magazine before return- 
ing to Rt66 in August. 

To penetrate the Times, Slut Puppy and 
Master Pimp employed what is called a remote 
root buffer overflow. By transmitting too many 
data into a targeted zone, then tracking and 
manipulating the characters that could not fit 
into that space, they were able to trick the 
system into running their commands as if they 
were being issued by New York Times system 
administrators. 

After wheedling their way inside the server, 
they pulled down the Times front page and 
replaced it with one shown in part here, a fake 
layout that Slut Puppy had composed with two 
other members of HFG: Sidekick Slappy and 
Daddy Sweetcakes, both of whom work off-site 
and communicate with the gang exclusively over 
the Internet. 

Slut Puppy and Master Pimp were able to con- 
trol so many functions on the site that when 
Times technicians tried to pull their hacked page 
and replace it with standard news content, the 
hackers, who had logged off by then, 
used a program that automatically slipped 
their page back. For almost three hours 
this went back and forth, until the Times 
took its site off-line. Chortles Slut Puppy, 
“They seemed to have no idea how we 
got in—or how to stop us.” 

On his hacked page Slut Puppy includ- 
ed several pointed references to John 
Markoff, the Times reporter who co-wrote the 
1996 book Takedown, which detailed the search 
and capture of Kevin Mitnick, a hacker who 
faces a 25-count indictment on a variety of com- 
puter and wire-fraud charges. Mitnick, whose 
trial starts in January, has become a martyr to 
hackers. 

Although Slut Puppy knows Mitnick broke the 
law, he and many other hackers blame Markoff 
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The Happy Hacker, Carolyn P. Meinel:” 
“Hacker gangs are like street gangs.” 


for hyping Mitnick’s crimes in Take- 
down, for which he reportedly shared 
a $750,000 advance. The book is also 
being turned into a movie, which will 
undoubtedly increase pro-Mitnick 
protest activities in cyberspace. 

Markoff says he loses no sleep over 
Mitnick, who has already pleaded guilty 
and served time for possession of unau- 
thorized access codes to cellular phones 
and for violating parole. “You have to 
wonder how deep these hackers’ think- 
ing goes,” Markoff says. “If they have 
a political cause, they are accomplishing 
the exact opposite of their goal. No 
one is doing more to promote the 
upcoming movie than the hackers 
themselves.” 

Markoff wasn’t the only one to 
make it onto HFG’s hit list. Carolyn P. 
Meinel of Cedar Crest, N.M. is its 
public enemy number one. 

Meinel is the author of The Happy 
Hacker, a kind of Hacking for Dum- 
mies volume chock-full of folksy golly- 
gee-isms interspersed with geck talk. 
The goal of the book is to teach “new- 
bies” how to hack legally. The book’s 
tone irks many of the more sophisticat- 
ed hackers, who claim to be on a mis- 
sion to show how porous most com- 
puter security is—the law be damned. 

And here was Meinel asserting in 
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public forums that 
hacker groups were 
like street gangs, 
forcing teenage init 
ates to) commit 
crimes to gain mem, 
bership. “Meinel has 
this idea thar as the 
Happy Hacker she is 
this noble leader 
among, leaders,” Shut 
Puppy says. “But she 
pretends to know 
more than she does, 
so we thought, “Let’s 
make her lite hell.” 
After a cozy Easter 
Day dinner in April, 
John Mocho, co- 
owner of Rt66 Inter- 
net, was showing his 
son and grandson 
how: to upload family 
photos to his wite’s 
Web site, The hack- 
ers had nothing 
against Rt66. Their 
target was one of the isP’s customers. 
A wholesome family scene turned 
downright unwholesome when 
Mocho tried to access his (sp’s front 
page. Instead of the usual welcome 
screen, he was met with a picture of 
one of his customers, 52-year-old 
mother of six Carolvn Meinel, posing 
on the cover of a fictional 
publication, “Crack Whore 
Magazine,” as well as her 
credit card number. A gang 
Mocho had never heard of, 
calling itself Hacking for 
Girlies, claimed responsibility 
While his son rushed his 
grandson into the next room, 
Mocho went after the hackers. 
“T had never been hacked 
before,” he said. “This was mv 
Isp, my customers. | wanted 
them off as soon as possible.” 
Mocho launched a preemptive 
strike. He typed in the Unix com- 
mand “kill-9.° which he assumed 
would cripple the hackers’ ability to 
issue commands. Seconds later Mocho 
was booted off his own network. 
Figuring there was only one sure 
wav to get rid of them, he jumped 
into his car and, driving 55mph in a 
30mph zone, made it to his office in 


three minutes flar. Mocho cursed the 


race 
ect: 
int oN ea 


day he had let his partner, Mark 
Schmitz, and the isp’s system admin- 
istrator, Damian Bates, convince him 
to accept Meinel as a customer. A 
lightning rod for hackers, she had 
already been kicked off five other Isps. 

Schmitz and Bates had preached the 
First Amendment. No one, thev 
argued, should be forced off an isp 
because a bunch of hackers didn’t like 
her. Schmitz and Bates also figured 
their computer security was solid. 

They figured) wrong, Mocho 
thought grimly. After gaining entry to 
his office, Mocho grabbed a network 
cable and vanked hard. Rt66 was cut 
off from the Internet. The phone 
would start taunting Mocho any 
minute now, with irate customers 
threatening to switch IsPs. 

Mocho estimated that the hackers 
had been inside the network 20 min- 
utes—-30 tops. Enough time to have 
compromised it. In their haste to 
leave, however, he surmised that they 
had left behind a standard “root 
kit”-—software designed to take and 
maintain control over another’s 
system. This, in his mind, indicated 
they were amateurs, which cheered 
him. “From a technical point, this 
meant they had no magic ship to get 

Mocho said. “They probably 
compromised a user’s account, stole 
someone’s password.” 


on (9 iis 


was S 
know hey had 
ut it 


mes 
next day 


What he did not realize was that HEG 
had not used a root kit; evidently it had 
been left behind by some other hack- 
ers. In tact, HFG had sailed in undetect- 
ed on that magic ship Mocho was so 
sure wasn't there, burrowed deep 
inside millions of lines of Isp code. 

Ir took Mocho and company 20 
hours to get Rt66 up and running 
again, During this process someone 
either missed a machine or inadver- 
tently installed a snapshot of the hacked 
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system by accident. For whatever 
reason, the back door HEG had slipped 
in through remained open. Using that 
same flight path, Hacking for Girlies 
would return to Rt66 in August. 

But long before reattacking Rt66, 
the hackers maintained continual 
access to the system: sifting through 
customers’ E-mail, noting any securi- 
ty improvements. Since they despised 
Meinel, they read all of her mail. 

Although Mocho believed the 
Easter hack was the first time HFG had 
violated his isp, Slut Puppy says he 
took many a joyride through Rt66’s 
servers well before then. It was during 
one of these jaunts that Slut Puppy 
noticed that Rt66 was employing a 
product called Tripwire. 

If any files are altered by a hacker, 
this software is designed to alert the 
system administrator. But Slut Puppy 
knew a technique for getting around 
it. Because Tripwire works by com- 
paring numbers it assigns to each file, . 
all he had to do was adjust the num- 
bers that were already on the system. 
It’s like altering the answers on an 
exam to match yours, no matter how 
outlandish they are. 

While Slut Puppy hummed “Get 
your clicks on root 66” and designed 
the Web page, Master Pimp bounced 
through some IsPs to camouflage their 
itinerary. Using the existing back door, 


“We've Ray the eis just 


for the 
comes~-W a "ve ev ostile ra 
p nne fot a ho "et 
where eds a 
plant evidence.” 


Master Pimp typed in a keyword and 
within ten seconds had control of one 
of Rt66’s servers. From there he tra- 
versed over to the system’s power- 
house, “Mack,” where Slut Puppy 
replaced R166’s home page with HEG’s. 

“Rather than continuing the gun- 
fight, we cleaned up our tracks by eras- 
ing logs and left,” Slut Puppy said. 
“We were long gone when he pulled 
the plug.” 

As it happens, Meinel says that on a 
personal level the hackers “have hardly 
done any harm to me. They hurt 
bystanders. They harm the Isps, their 
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customers and the credit 
card companies.” 

Meinel also says the 
hackers can come after her 
all they want. “Sure helps 
me sell more books,” she 
contends. 

After the Easter hack, 
when the ISP was consider- 
ing tossing her off the net- 
work, Meinel swore to 
Rt66 that the credit card 
the hackers stole had not 
come from the IsP’s credit 
card file. Later, Meinel 
admitted that she had 
been mistaken. This is key 
because Rt66 took her 
word the credit card file 
had not been breached. 

Slut Puppy, on the other 
hand, was amazed that 
Rt66 didn’t do anything 
to remove the credit card 
file from the network after 
the Easter hack. 

So, on Aug. 7 Slut Puppy and 
Master Pimp, entering Rt66’s servers 
the same way they did in April, made 
off with the whole customer credit 
card file—1,749 card numbers in all. 

“It was so easy getting back into 
their system with the same back door, 
we wondered if they had set a trap,” 
Slut Puppy said. 

This hack not only result- 
ed in the Isp shutting down 
for some 60 hours but also 
forced Rt66 to rebuild its 
security from scratch. 

What is unfortunate is 
that Rt66, by doing the 
right thing in alerting the 
FBI and credit card compa- 
nies to the security breach, 
has suffered for its good deeds. Even 
with its rebuilt security—R166 is now 
one of the most secure ISPs in New 
Mexico—the Isp has lost 15% of its 
5,000 or so members since the 
August hack. 

“T respect the hackers’ skills,” Rr66 
system administrator Bates grumbles, 
“although I didn’t appreciate the obnox- 
ious way they demonstrated them.” 


Internet Security Systems (ISS) of 


Atlanta, Ga., one of the big names in 
computer security, has donated a 
remote monitoring station for the 
R166 network. iss hopes to trap Hack- 


Moscow .. 


SUWiL 31LLvaS 3HL 


Times reporter John Markoff: “Sure, | was pissed.” 


ing for Girlies the next time it tries to 
invade the system. 

But Slut Puppy already knew about 
Iss’ presence in Rt66 from one of his 
many well-placed sources. “Needless 
to say, we don’t plan on returning 
anytime soon,” he says. 

Of course, Slut Puppy knew that 
hacking the New York Times was a lot 
riskier than attacking Rr66—the news- 
paper has immense clout in Washing- 
ton, D.C. The day after the Times 
hack, Slut Puppy and Master Pimp 
packed up the computers used in their 
hack spree and passed them on to 
others for safekeeping. Any data 
gleaned from their other crimes were 
either deleted or protected by power- 
ful 1,024-bit encryption. 

“Even we don’t know where all of 
the equipment is,” Slut Puppy says. 
“And my password to the encryption 
is probably unbreakable, too, since it 
is more than 40 characters long, case- 
sensitive, and combines letters, num- 
bers and symbols. We’ve planned not 
just for the day the FBI comes—we’ve 
even planned for a hostile raid where 
the Feds actually plant evidence.” 

The group plans to lic low until law 
enforcement moves on to bigger and 
better cases. By the way, whence the 
name Hacking for Girlies? “Chicks dig 
hacking,” explains Slut Puppy. 
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NEW YORK TIMES-VICTIM; 

CITA; 

OO: NY 


Synopsis: set lead to interview— 
regarding HACKERS FOR GIRLIES.and the New York Times hack. 
Reference: Numerous calls between sacl and saf | . 


Details: On the morning of September 13, 1998, the New York 
Times website (www.nytimes.com) was hacked by a group known as 
HACKERS FOR GIRLIES (HFG). The hackers altered the NY TIMES 
website with a webpage containing various text messages and 
graphic images. As a result, the NY Times took their aa | 


off-line for eee nine hours. The hackers 


HFG has claimed responsibility for hacking the New York 
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AT WASHINGTON 


Interview and polygraph 
about any knowledge he may have regarding the New York Times hack 
and HFG. New York plans to execute search warrants in the 
division in the near future. If possible, NEW YORK 
request the interview be done the_day the search warrants are 
executed. NEW YORK will contact [a vieion regarding the 
date. 
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Source, who is not in a position to testify, provided 
the following information: 


a 


HACKING FOR GIRLS (HFG,) a computer hacking group 
believed to be responsible for the recent NEW YORK TIMES web page 
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The following investigation_was conducted by squad 17 
and documented by Special agent (Sa)[ +d 


Surveillance Date: 11/24/98 
Day: Tuesday 
Weather: Sunny 


at which time the following observations were 


noted: 


Time Initials Observations 


Begin surveillance of 
(L-1) and 

Observe 

(V-1) in 


V-1 in parking lot L-1 & L-2 
V-1 in parking lot L-1 & L-2 


V-1 in parking lot L-1 & L-2 no change 
in activity 


b7C 
b7E 


b6 
b7C 
b7E 


b6 
b7C 
b7E 


b3 
bT7E 


sy 2 3 


SURVEILLANCE LOG -| = ~~ ~=[DIVISION - b3 
: b6 
Date : Page 1 of ¢ b7c 
b7E 
(sen [iouce of coverage] 
File # Case Log Prepared i : 
O clear K Partly Cloudy O Rain 
O Overcast O Partly Sunny O sunny : a | 


Day of week 


Tuesday Wednesday Thursday Friday Saturday 


b6 
b7Cc 


LOCATIONS COVERED (IN CHRONOLOGICAL ORDER) 


LL 
L2 
L3 
L4 


L5 b6 
- b7C 
L6 ; b7E 


SUBJECTS OBSERVED (MALE) 


Ml 
M2 
M3 
M4 


SUBJECTS OBSERVED (FEMALE) 


Fl 


F2 


F3 


VEHICLES OBSERVED (LICENSE #/YEAR/MAKE/MODEL/COLOR) 


b3 

v b6 
V2 b7C 
b7E 


v4 


TELEPHONES USED (NUMBER AND LOCATION) JAN 0 eb 


7 ? i 


ali 10/27/98 


SURVEILLANCE LOG -[_—sJDIVISION " &b3 


b6 
b7c 
b7E 


CONTINUATION SHEET 


Page Qa of 3 


b7E 


a 
eed. PA a Pa 


b7C 


at ent cee AEE 
2 PT OCSCSCSCSCSC‘C‘*dSSZ, b7E 


9K pf f4MCT 
ty an Pelvewas 4% L- 


yy } Oo 


b6 
b7C 
Modified 10/27/98 


A\ 


= 


Ww 


SURVEILLANCE LOG -[_____ ] DIVISION 
CONTINUATION SHEET 


File # : Case Log Prepared 
ae ee Cs a 


Modified 10/27/98 


The following investigation was conducted by squad 17 


Surveillance Date: 12/14/98 
Day: Monday 
Weather: Partly Cloudy 


at which time the 
ollowing observations were noted: 


Time Initials Observations 


(V-1) was 
V-1 


ae into the 
es oe 


and (vV-5) 
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in driveway bic 


M-1 and (M-2) w/m 
L-4 and enter V-2 and depart 
V-1 in driveway at L-1 


End of surveillance. 
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Case ID #: ending) 
Title: HACKING FOR GIRLIES, 
ET AL; 
New York Times - Victim 
CITA; 
OO: NY 
Synopsis: Results of interview withL__ and the b6 
appropriate coCuMenEG ETON: b7C 


Enclosures: One original and one copy of FD-302 interview with 
along with original interview notes in 1A 
envelope for New York Division. 


Details: | was interviewed at his place of 
residence on 12/16/1998. He was j 


of the New York Times. The results of the interview are 
documented on the accompanying FD~-302. 
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social securit 


born 
who resides at 
telephone number 
is place of residence regarding his possible 
involvement in some internet hacking activity. After being 
advised of the identity of the interviewing agents and the nature 
of the interview, he provided the following information: 


account number 


12/16/ 


a | | 


Date dictated 12/18/1998 


Investigation on 


File # 
by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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b6 
b7C 


b6 
b7C 


These men are 
met at_a Def Con convention in Las Vegas, Nevada. 
said that was formerly employed at 

1 and later in where he performed 
Per has the most extensive 

ar none of all bugs used in connection with an 
intrusion detection system product. stated that, “for a 
company with products (goods to sell), his database is 
golden.” ice shiae the foresight to see where the security 
needs would go. On average, other similar databases are only 2-4 
years old compared to which was compiled over the last 
six years. eee penetration, network auditing and 


esearch evelopment work, as well as other functions at 
stated that he knew[_____—sdjused internet nicks 
or handles of and[ as well as others that he couldn't 


recall at the time. He also stated that[__] could currently 
have a web page. In the past,[___]has had a web page which 
has been changed a few times. 


mets through internet relay chat (IRC) bé 
rooms. He_had been looking for someone with strong skills and b7c 
said that was highly recommended by his internet 
associates. At is focused primarily in 
research and development of security software. He has also been 
developing operating software. ———= said[ sid uses the 
handle or nickname of but that he frequently rotates is 
internet handles so[-_] isn’t sure what he is currently 
using. 


Another employee named[__—d| worrkss | a 
software development. However, he is not compensated monetarily 


but, rather, with stock in the company. 
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[sd stated that he worked for [| _—______ 
where he was in charge of developing. One of 


responsibilities was to help create the company’s web page for 
which he laid out the blue print and concept. [L__J also 
designed the concept for the[___] web page. He has worked 
significantly with computers and has several at his personal 
residence. However, only two PCS and a Macintosh are currently 
working. He is very familiar with the internet but claims that 
he mostly conducts business related matters over the internet as 
opposed to casual browsing. He stated that he does not have a 


web page. His handles change and/or are rotated frequently but 
he uses | 


When asked what he knew about HFG (Hacking For 
Girlies),[___] responded that everybody has heard of them 
over the internet. He was aware that they hacked into the New 
York Times and that another group (LOU) hacked into several sites 
in Japan in retaliation to HFG. He could not explain the 
connection between LOU and HFG and stated that, other than what 
he has read in magazine articles, he doesn’t know anything about 
HFG. 


; Asked if he_knew whether | or [ were 
associated with HFG, [___'| stated that he would be very 
surprised if they were because he believes that they would have 
too much to lose. He also said that he has heard them “rip” on 
people that hack. He said that if they hacked the New York Times 
that they would be “screwing” him and he doesn’t believe that they 
would do that to him. He also stated that has been 


and views it as an unlike conflict of interes 
would be hacking 


[id stated that he was familiar with the web site 
. He explained that he was not responsible for the 
web page, but rather, ——Csid@ o£: an IRC 
chat room) acquaintance, set up the web page. Asked 
about whether aoa could be involved with HFG, aay said 
that it would be unlikely because he doesn’t believe that 
has the skill to_be a hacker. When asked about the link from 


to explained that[__]was probably 
trying to throw business to . 
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aimed that he was not familiar with the 


handles His sentiment is 
that the names are so long that they would be irritating if used 
in IRC. 


The following is a description off 


Name: 
DOB: 
SSN: 


| Sex: 
Height: 
Weight: 
Build: 
Hair: 


Address: 


Telephone Number: 
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Date of transcription 12/16/98 


was advised of the identity of 
the interviewing agents and the purpose of the interview. 


was served with a “2703(f£)” letter from the 
United States Attorney, Southern District of New York, dated 


December 14, 1998, and signed by ausa[ |. 


advised he knewL and thatL sd 
used to have some of his Scie 4 ieee co-located at 
Approximately three months ‘ago bh a friend remove the 
equipment from stated ee ee computerized 
records and information for 90_days after the termination of 
service of a client, therefore or may not have deleted 
records/account information for stated that he 
was very aware of the meaning of the letter and that he would 
— comply with it when he receives an appropriate Order. 


has taken a class on complying with the Electronic 
ommunications Act and received instruction from a Department of 
Justice Attorney. advised two of the partners in[_Jare 


attorneys and_they wou not do anything to cause their being 
disbarred. would not acknowledge whether[__J]currently had 
any information on without being first served with the 
Order. 


Investigation on 12/16/98 at | | . 
File # Date dictated 12/16/98 


by 


This document contai her recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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was advised of 


the identity of the interviewing agents and the purpose of the 
interview. P=“ Teeoviaed the following: 


SS | a the winter of 1994 over 
the Internet cha 


room called #hackers. was having 


troub some IRC software compilation for a client. At the 
time was living in attendingl sd 
: decided to check with 


some hackers to see 1f anyone knew _how to fix her problem. After 


meeting[_____Jon the Sieg fe corresponding with 

him via E-mail, IRC sessions, the Eelephone and even sent him her 
picture. a visited during spring break. then 

dropped out Of School and started living with 

also met his roommate 


obtained employment at a near 
worked in the computer 
also worked at 
lived in an apartment near 
ot_a job working as a Help Desk representative 
which was recently purchased by 

where they lived together for 
approximately one and one half tes believes they split 


up in the summer of 1996. split up withL____—'| because 
she was annoyed with his friends and their activities. 


[~~ Jana friends would have activities called “group 
nights” wherein they would hack into other systems and go through 
trash at businesses. Group nights were part of the hacker group 

, O ich they were all members. Group 
nights were also called Nights”. Trash hauls produced 
computer printouts of information and electronic hardware. For 


instance, at one time their apartment had_twenty-one 19" monitors 
of which approximately one half worked. [| stated that she 


felt group night activities was something in which she could get 
into: trouble over and possibly lose hér job ca 
felt [____]Jwas a negative impact_on_her life and so wanted to 


keep away from him. Just before[_|broke up with 


Inve | 
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things which knew they couldn't afford (computer 
equipment, telephones etc.). attitude on hacking seemed 


to be changing. ee away from was 
constantly asked by roommates to store computer 


equipment at her house. She refused. 


“stuff” started ee new in the apartment. This stuff was 


stated that[___jana his friends hacked into 
many companies including NASA, NETCOM, US West, and Stonehenge. 
urpose of the hacking was to 


had Electronic Serial Numbers (ESN’s) for 
cellular telephone numbers. They also_had the “burners” to 


11 phone Typically would dial into the 
which was a “trusted tem 
by many other systems, and then attack other systems. would 


also collect credit card information, but would never use them to 
obtain anything of value. [__]also collected interesting E-Mail. 
usually just wanted to look around and have a challenge. 


described[_ sas a huge collector of 


information. wanted to have everything. helped 
edit and write for an on-line magazine called 
and covered a 


large range of topics. very much 
Since he moved to moved there in 


approximately an rior to that hadn’t been 
employed for about one year. Eee moved to[___]to work 


for but hi osition was closed shortly 
after taking the job. While at talked about 
computer security at military bases. then went to work 


does computer security consulting, security 
advisories, and maintains a database on how to hack systems, 
bugs, patches etc. 


stated that she suspects thatl_—iddia the NY 
Times hack but has no proof, and has never admitted it to 
her. The_Times hack was signed by 
has used as a hacker handle in the past. 
has a problem wit ow the press writes articles on hackers. The 
press has put out articles on people that and knew 
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personally but were blatantly not true. [is very anti- 
government, but needs money so he will speak at government 
functions. ease know_if is a member of the 
group “Hackers For Girlies”. is very vague, even with 
people he is close to. when asked if he has done 
something, will often grin_or wink, but he won’t say if he did 
Lt. his “girlie” The press did 
approach 


to ask aa ce responsible for 
the Times Hadh. Mio Wero ac ef | 


Help Desk for wo or three friends who are members 
of the group is.a group that 
offers help to secure computer systems. releases. software 
that shows vulnerabilities of computer systems and can be 
described as similar to SATAN. 


| | described herself ana| Jas being on 
the edge o é hacker scene. described hacking groups as 
being a very close knit society. ile doesn’t really 
hack, she has “been around” and knows the people. [__ luses 
the hacker handle off —C‘CCdt‘tas a domain called 
which is a xr people who need it. 
as an employee benefit. 
have seven computers connected to their 
ot of Web development. The computers are 
various operating systems such as Windows, Unix, 


etc., and are networked together. Two of the computers belong to 
eel When [____sJwent to work for[____] she kicked 
most_of the users off because she didn’t’ want them hacking into 
the[ _| system. 


[__| described the following members of[___]las 


system. 
configure 


follows: 


and leader of [ at 
| —~t~‘“‘iéiSNOW HEelieves that 


eel feels| ss fthinks this wa 
hacked inco[ 
j got 


(Last Name Unknown) an 


has married and is trying to be 
responsible. 
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—7 ee a a IT, 6 7C 


[___ti‘“;W_CiCO OUWas interviewed By law enforcement (possibly 


a iad Has since moved to 
[ras not the leader, but a lackey. 
b6 


LNU. Not a big player, but fixed everyone’s cars b7c 
when they broke down. 


(phonetic, butL__ 
An annoying kid who “pissed” everyone off and was kicked out of 
the group. 


Doesn’t know anything about him. 
Doesn’t know anything about him. 


a ke that is no longer active and bé 
everyone who was involved wit has abandoned it. [| b7C 


stated that it was easy to_hack when all you had was a job that 


paid $6.00 per hour (like . A lot of the people i 
have grown up, have responsibilities and jobs that they don’t 
want to lose. now wants to keep hackers out of her 
system. just got accepted at 


and will be focusing on a computer science and multi- 
media degree. [ultimately wants to create computer games. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE -Date: 12/17/1998 
From: 

SQUAD 4 

Contact: SA 


roved By; [___ 

fted By: [__ 

e ID #: LT (Pending) || 
Titles [ 


et al; 
CITA; 
00: New York 


' Synopsis: To report coverage of lead to serve 
— with 2703 (£) létter, and to interview 


Enclosures: Enclosed for New York is the followin 
original and two copies of an FD-302 interview of 
2. A 1-A envelope containing interview notes of 
original and two copies of an FD-302 interview o 
4. A 1-A envelope containing interview notes of 


signed by AUSA was cooperative. On 
December 16, i ; ngineer, 


was interviewed regarding her ee — 
Details are in the enclosed FD-302. [consi ers 


this matter closed. 
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Wired News . 


The Not-So-Happy Hacker 


by ¢ Arik Messcida 


NEW YORK — A woman identified as an enemy 
of the crackers who attacked The New York 
Times online site recently says the FBI now 
considers her a suspect as well. 


"The FBI has no rational reason to consider me 
a suspect," said Carolyn Meinel, a New Mexico 
computer security consultant. 


Meinei, author of ihe Happy Hacker and 
founder of an eine ruty by the same 
name, held a ence attended press 
conference in New York Wednesday to 
publicize what she says amounts to harassment 
by the FBI. 


Meine! claims that FBI investigators, eager to 
make an arrest in the high-profile case, are 
following a trail gone cold. The result, she said, 
has been a bitter stalemate. She said she would 
like to cooperate with the Bureau's investigation, 
but fears that doing so might lead to her 
wrongful indictment. 


When told by FBI agents that she was a 
suspect, Meinel said she was asked to take a lie 
detector test. She agreed at first, but following 
the advice of lawyers and friends, Meinel later 
refused. 


"| was told that the only reason they ask for a lie 
detector test is when they want to trip you up 
and get you to say something they can use to 
ask for an indictment," she said. 


Later, Meine! was told she was not a suspect in 
the case, but that the request to take the lie 
detector test still stood. 


FBI Special Agent Doug Beldon said he had no 
comment on the case, and would not confirm or 
deny that the attack is under active investigation. 
Published reports say that the FBI's 
computer-crimes unit is handling the case. 


Meiner was one of several people named ina 
= posted on The New York Times Web 
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The Not-So-Happy Hacker Page 2 


continued 

Others taunted by the HFG statement included 
New York Times reporter John Markoff and 
Tsutomu Shimomura, a computer security 
expert who assisted the FBI in the arrest of 
Kevin Mitnick. Markoff and Shimomura co-wrote 
a controversial book about the Mitnick case, 
Takedown. A movie based on the book is under 
development by Miramax Films. 


“She is writing a chapter about us in her second 
book.... Her goal all along has been to lead us 
on, watch us get busted, then write about us, a 
ta Markoff/Mitnick, Shimomura/Mitnick, 
Quittner/MOD, Stoll/Hess. See a pattern 
forming here? We sure do,” HFG wrote. 


The group claimed that Meinel asked them "to 
hit a bigger and more trafficked site," according 
to the statement. "She told us that she is almost 
done with the book." 


A second edition of The Happy Hacker has just 
appeared, which Meinel made available to 
reporters. She scoffed at suggestions that her 
connection to the attack had helped sell more 
books. 


"| had the chance to exploit this incident in 
September and didn't. I've been a lousy publicist 
for this book," she said. 


When first contacted by Vvired News on 13 
September, the day of the Times attack, Meinel 
denied any relationship with HFG. "I don't know 
who they are in real life," she said at the time, 
denying their claim that she was writing about 
them. "| hope they come to their senses before 


they wind up in jail.” 


Meine! said the first she had heard of HFG was 
on 7 August, when the group allegedly hacked 
cute 65, a New Mexico ISP where Meinel 
holds an account. Whoever cracked the ISP 
apparently also downloaded a file containing 


1,749 credit card numbers. 


Details of the attack on the ISP were reported in 
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an interview with individuals claiming to be the 
perpetrators. 


Having written about the cracker underground in 
her book and for Scientific American, Meinel is 
no stranger to their wrath. She detailed a history 
of telephone and email harassment against her 
dating back two years. She said she has been 
kicked off of four ISPs as a result of various 
hacking attacks against her. Each attack was 
reported to the FBI, she said, who took reports, 
but did little. 


Meinel said she was approached by an FBI 
agent in 1997 and asked to write a proposal for 
teaching the bureau about computer criminal 
tactics. That offer was abruptly rescinded when 
a teenage associate of Meinel's was raided by 
the FBI on suspicion of hacking crimes. Meinel 
said she suspects the boy, called "Foobie" in 
her book, was framed by her critics in the 
cracker underground. 


One former cracker-turned-computer-security 
consultant — Brian Martin, who goes under 
various handles, including Mea Culpa and 
Jericho — has published the details of his 
complicated ongoing feud with Meinel. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 12/28/1998 


To: FBI Headquarters Attn: ssa[ b3 


CART b6 
a . b7C 
From: New York Q b7E 
C-37 : 
Approved By: [__ 
prafted By:[ Cid 
case 1p #: [|] (Pending) 


Title: b6 
b7c 
NEW YORK TIMES-VICTIM; 
CITA; 
OO: NY 
is: Recognition of the efforts of CART examiners[ _| b6 
in connection with the bic 
Search of bE 
on December 16, 1998. 
Details: SA would like to personally thank 
in the search of 
on December 16, 1998. Their 
assistance in carrying out an extremely complicated 
was invaluable. 
b6 
initiative to b7c 
b7E 
Furthermore, this assisted 
er search location. 
They arrived the night of 12/15/98. _ ee acs 
at approximately 9:30 am on 12/16/98 and ende a about 1:30 am 
on 12/17/98. On 12/17/98 at approximate R00 % 
home. 
™. te, etree mre 2 ; & ; 
moe eee b3 
UPLOADED Lie: thinks.c.ec 2 
WITH/TEXT. 6 (revised ) b7C 
WITH/G iT b7E 
BY. “" 
BAT! ' 4 
? ih ib 
- ah 7 a ee 
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To: _FBI Head wae From: New York @ 
ne: [12/28/1998 


The team came prepared and went way above the call of 
duty. [performed daar peorcse ional manner 
that was not only recognized by the SAs but by emp 


lovees of the 
ISP. As a result, a favorable impression was ss eae 


Appreciation is extended ee 
are to be commended for their efforts and professionalism. 
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FD-302 (Rev. 10-6-95) 
Pe eee 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 12/16/98 


A search_warrant was executed on 12/16/98 for the 
remises known as 

FBI personne eparte FBI headquarters at 
approximately 8:00 am. Entry of the premises occurred at 8:55 


Special Agent (SA Following a_ knock and announce by 
sal | Subject] opened the 


door. Subject , also an occupant of the apartment, 
was discovered in the bedroom upon entry by the team. 


Once _ the scene was secured, entry photographs were 


taken by SA[_______s| and the photograph log was maintained by SA b6 

Immediately following the photographs a search of the b7Cc 
premises was conducted. Attached is a copy of the evidence b7E 
inventory sheets that itemize the evidence removed from the 
apartment. The scene was released to and all 


personnel exited at about 3:26 pm. 


ees 


Investigation on 12/16/98 at | | b3 


b6 


File # | | Date dictated 12/16/98 b7c 
ee ea b7E 
by SA | | ee 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


am. The members of the entry team were Special Agent (SA)[~___ ] be 
Special Agent (SA) Special Agent b7¢c 
Special Agent (SA and 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 01/05/99 


SOURCE, who is not in a position to testify, provided 
the following information: 


SOURCE believes that 


Investigation on 


11/04/98-12/28/98 York, NY 
File # Date dictated 01/05/99 
by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION. 


Precedence: ROUTINE Date: 01/06/1999 
To: FBIHO LAB Attn: CART, Room 4315 
New York Attn: Evidence Control Unit 
From: New York ; BS 
C237 | eo 
Contact: SA ext .3187 nes as 


Approved By: 


cera (ae oor 
668-HOC1155003 (Pending) 
Hetero trending) ga 


Title: Hacking for Girlies; 
Et al; 
New York Times - Victim 
’ CITA 
OO: NY 


Reference: Tglephone call from sa(____|to sa[__| = 


regarding captioned matter. 


Synopsis: Request assistance of FBIHQ, CART Unit that computer 
search assistance is needed in connection with captioned case. 


.Details: On September 13, 1998, the New York Times 
‘website (www.nytimes.com) was hacked by a group known as HACKERS 
FOR GIRLIES (HFG). The hackers altered the NY TIMES website with 
a webpage containing various text messages and graphic images. 
As a result, the NY Times took their computers off-line for 
approximately nine- hours. 


On December 16, 1998, a search was executed ink b3 
on subjects residence. As a result, evidence listed below was b6 
seized. Its believed the computers seized where used in the bic 
hack. The computers run abe —leseeceiag syste Rie 


encrypted files. 


Wri sts evidence received by 
01/06/98 ie forwarded to FBI Headqua 
CART Unit, Room 4315, for analysis. The followin 
evidence should be forwarded/analyzed: 


Barcode Description 
b3 
f b6 
| p b7C 
| Fle = ovid2 hy eB” 
WITHTEXT____¢ j is 
WITHOUT Tren = Cae 
BY. —= poet | 
DATE = a oar ecole idadal 


To: FBIHQ LAB Attn: CART,Room 4315. 
From: New York 
Re: [.___] 01/06/1999 


b3 
b7E 


The remaining evidence will remain in New York. 


To: FBIHQ LAB Attn: CART,Room 4315 


From: j rk 
Re: 01/06/1999 b3 


b7E 


LEAD (8s) : 
Set Lead 1: 
FBI HEADQUARTERS 
AT WASHINGTON DC 


Request that a CART FE be assigned to provide 
assistance to New York for the analysis of evidence. 
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L_] Credit Nh criminal 


CL] Birth 


To 


Om 


@ 
Date i ~Ot-& 


[_] Death {[] INS [_] Marriage* r4 Motor Vehicle [[] Other 


Buded 


File number 


. (37 at 306; - 
: K b6 
applicant, or employee, and spouse b7C 
b7E 
Addresses 
Residence 
Business 
Former 
*Date and place of marriage 
Cif applicable) 
Race Sex Age Height Weight Hair ‘yEyes 
| Male 
Female 
Birth date Birthplace 
b6 
b7C 
Arrest Number Fingerprint classification Criminal specialty. 
Social Security Number Drivers License Number 


Specific information desired 


Results of check 


Photo 


Other 


(1/24/75 
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INVESTIGATIVE INFORMATION REQUEST FORM 


ITC Use Only: 
2 Date/Time In: 

FBI, Butte Information Technology Center Date/Time Our: 
400 Nocth Main Street, Room #115 


Butte, Montana 5970! 


taBase(s) Used: 


: 5. 9. 
z 6. 10. : 


! 
> Commercial Telephone (406) 782-2304 2 
> FTS: (406) 782-2304 FAX: (406) 782-9504, 782-9507 & 782-7418 3 ee | eee ee 
b> Secure FAX & STU IU: (406) 782-2304, Ext. 26 4, 12, 
Handied By: 
TO: FBI, BUTTEINFORMATION TECHNOLOGY CENTER pyc 
Date: -ls- 
Forfeiture/Scizure Related: LC) Type of Request: | FAX © Telcal O Mail Response: i Telcat 3 Mail me 
Requestor: 5; Phone #: FAX #: 212- BY ~ eo UCEN: 
(Requestor Nume is seen} (UCEN (F 
Office/RA: NY Precedence: {ROUTINE {) IMMEDIATE 
(Emergency/Crisis see) | | 
SEARCH CRITERIA (Attach additional sheets if necessary) = 
Name - Last: First: Middle: | | 
Alias: Sex: f  DOBI: DOB2:_ J 
SSANI: ~ - SSAN2: - - Spouse: BE 


Fugitive: O Yes ANo _ Driver’s License #: State: 


RESIDENCE ; 
Street Addrese:| | ciystarel Lz L_| ore: | 


BUSINESS 

Business Name: Street Address: 

City/State: Zip: Phone: Business ID#: 
af CHECK DESIRED SEARCH PARAMETERS (Please check only those that are needed) 
| pl 1. Specific Information Desired a uy + r 08 


. Determine All Individuals Associated with Social Security Number(s) 
- Report Validity of Social Security Number 

. Determine Who is Associated with Telephone Number(s) 

. Determine Address of Business/Person ( 38; 
. Determine Property Owned by Individual ( U.S. 
. Determine Who Owns Property Listed Above 

. Determine Who Resides at Address Listed Above 

. Determine Financial Background Info, i.e., Bankruptcy, Judgments, Liens, UCC filings, or Lawsuits 
0. Determine Corporate Business Info, i.e., Officer, Director, Registered Agent 


State(s)) 
State(s)) 


2 ee 


Ar fp UF pO 


re Fe? 


nooooooRmy” 


— 0 00 ~) 


Cj 11. Customs Border Crossings / Subject query / 1-94 info (circle one) 
O) 12. Federal Prison Inmate Information 
C] 13. Telemarketing Complaints 


Reply From: FBI, Butte Information Technology Center (BITC) 
Return Reply To: 
SAC, 
Attention: 
Based on search criteria, marked records are attached: 
EPossible Identifiable Records O Brief Synopsis of Information Found 
0) Other Peripheral [Information [7 No Information Found 


b7Cc 


| a Rertson/Business) 


b6 
b7c 


REPLY FORM - INVESTIGATIVE INFORMATION SERVICES 


To help us better serve your investigative needs, please complete 
and return to: 


FBI, Butte Information Technology Center 
400 Main Street, Room #115 
Butte, Montana 59701 


BUTTE : 84577 UCFN: 
ANALYST: SUBJECT: 


Was the information provided helpful to your investigation? OF YES OF NO 


If NO, please let us know how we could be more helpful to your 
investigation: 


ACCOMPLISHMENT (S) resulting from information: 
PERSON(S): (Enter total number applicable to each of the following) 


FBI Fugitive(s) Arrested: O FBI O Local Date 

(Forward photo of Fugitive arrested with this Reply form) 
Local Fugitive(s) Arrested: O FBI MO Local Date 

(Forward photo of Fugitive arrested with this Reply form) 
Subject (s) O Arrested [] Located O Identified 

(Forward photo of Subject arrested with this Reply form) 
Witness(es) OO Located O Identified 
New Witness(es) O Located OF Identified 
BUSINESS (ES): (Enter total number applicable to each of the following) 
New Business(es) Identified 


New Business Associates/Associations Identified 
Financial Audit Trail(s) Enhanced 
ASSET(S): (Enter total number applicable to each of the following) 
(TYPES: C = CASH R = REAL PROPERTY P = PERSONAL PROPERTY) 
Asset(s) 0 Located O Identified [VALUE: TYPE: 

_. Asset(s) Subject to Seizure/Forfeiture [VALUE: TYPE: 
__ ~botential Economic Loss Prevented [VALUE: TYPE: 
OTHER: (Enter total number applicable to each of the following) 

New Case(s) Initiated New Lead(s) Generated 
COMMENTS : 


b3 
b6 
b7Cc 
bT7E 


1-case File [| 


1 - BITC 
PLEASE RETURN TO: BUTTE ITC 


b3 
bIE 


as 


f a 


DEC-B4-1998 15:36 [et FAX 


ee oe 
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Date: 
PLEASE DELIVER THE FOLLOWING PAGES TO: 


Agency: {AL / 
Phone Hs ( ) | / | 
FAX NUMBER: __(212_).384-YU4GO_ ov 


[f csimile Message is being sent by: bs 
Name: , fo 
is 9 The. DRL Ey AJ © / 
: | / 

: . J 


= FAX # + (303) 629-7171 = 


Number of Pages, INCLUDING this Cover Sheet oi -v 


Approvall Vv | So ae | a 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 01/24/1999 


a. Aovted oe a 


From: Butte ITC 
Investigative Information Services Center (IISC) 
Contact: [id 406-496-3805 


Drafted By: [ 
Case 1p #: [[]_ (Pending) 


Title: 
BUTTE REQUEST 189832 


Synopsis: Results of database searches conducted by IISC. 


Enclosures: Attached are copies of printouts setting forth 
results of inquiries conducted by IISC and a Reply Form. 


Details: U.S. name search located one record for showing Social 
Security Account Number address arn 


Credit bureau_search on number , show this 
in the state of , and is being 
current address listed is 


number was issued in 


the most 


No criminal history record located. 
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To: New York From: Butte ITC 
re: [= 01/24/1998 bs 
b7E 


LEAD (s): 
Set Lead 1: 
NEW _ YORK 
AT NEW YORK 
Complete and return Reply Form to Butte ITC. 
o¢ 


“i ROY (Rev BoE 98) 


Jan-21-39 16:49 


1TC Use Only: BITC Record #: l 
Date/Time in: _1-2 2 ances 


INVES TUG 4 FPvt INFORMATION REQUEST FORM 
am (’pm 
O am 0 pm 


FRI, Butte -; catinn Technology Center 
400 Newb be oJ. 4) Foam #UIS 
Butte, Moree? ‘ 
> Commercial Telephone “dts: 
> FTS: (406) 782-2304 va. 2 FRI-GSOS 782-9507 & 782-7418 
> Secure FAX & STU tlh (a8) Sa Tat. 26 


ect SENG 


1 
2. 
3. 
4. 
Handled By: b7C 


TO: FBI, BUTTE ENFOH? PS Fe SANOLOGY CENTER 
Date: [-31- 44 rae 

Forfeiture/Seizure Rete." 25 Type of Request: FAX © Telcal © Mail Reply: ‘ FAX  Telcal O Mail 
gaueiae 7 _ Phone #: ole-354 - 354 -3 194 94 FAX #: 219-384 - -660 UCEN: b3 


Paige jane tects Ee (UCYN (File b6 

oricdRA: NOAM Yote 9 ecm, Precedence: XCROUTINE (] PRIORITY Oh IMMEDIATE Boe 
Approximate turnaround times (48 hrs) (24 brs) (2 hes) Kae 

SEARCH CRITERLA 2 Htakiional sheets ‘Yf necessary) 

Name - Last: 4 Sato os patted in at ces Middle: 

Alias: cman Sex: F DOB DOB2: ee 

ssannd_—__]s BS ees ee = Spouse: 

Fugitive: Yes res License #: State: 

ee Dees 

Street Address’ | — come Zip] | Phone: 

BUSINESS 

Business Nanw: . . oP ots ules fhe: SUCEE Address: 

City/State: _. Zip: ss Phone: Business ID#: 


CHECK DESIRED © «=f SouEETE *RS (Please check onl those that are needed) — 
¥ 1. Specific Informe" ae  Cyseenk Sats cri me 


ee ee cer re ee seem 


C2. Determin: AE +E onreitied with Social Security Number(s) 
0 3. Report Validity u: Sar eb teats dy Number 

0 4. Determine Whe. iy Ae asiased vidi Telephone Number(s) 

0 5. Determine Addis. 4: cree ee eee eo 
O 6. Determine Property Craned by individual C__. U.S. 
C17. Determine Whe Jee 0 oy Listed Above 

O 8. Determine Who Eesidcs if Address Listed Above 

0 9. Determine Fire ial Packgcound Info, i.e., Bankruptey, Judgements, Liens, UCC filings, or Lawsuits 
Ot 10. Determine Corporate Rusiness Info, i-e., Officer, Director, Registered Agent 


9 eg State(s)) 
State(s)) 


9 ene 


(Person/Business) 


O 1. Cus ustomns Borer ¢ si Subject query ry / 1-94 info (circle one) 
C3 12. Federai Prison tank? Jae irmation 
OO 13. Telemarketing Comelaints 


Repir From: FBI, Butte Information Technology Center (BITC) 


Retum Reply Ts 
SAM. 


3 Saarinen 
shad On seatch criteria, marked records are attached: 

Pree ie «Kent able Records ; CO Brief Synopsis of Information Found 

wth ¢ Pertpheral Information C1 No Information Found . 
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REPLY - INVESTIGATIVE INFORMA N SERVICES 


To help us better serve your investigative needs, please complete 
and return to: 


FBI, Butte Information Technology Center 
400 Main Street, Room #115 


Butte, TE Ge; 59701 
4 
ow) 
BUTTE ITC RECORD re >: 
anaLyst: [= SUBJECT: __ 
Was the information provided helpful to your investigation? 0 YES & No 


If NO, please let us know how we could be more helpful to your 
investigation: 


ACCOMPLISHMENT (S) resulting from information: 
PERSON(S): (Enter total number applicable to each of the following) 


FBI Fugitive(s) Arrested: {] FBI CO Local Date 
(Forward photo of Fugitive arrested with this Reply form) 
Local Fugitive(s) Arrested: O FBI O Local Date 
(Forward photo of Fugitive arrested with this Reply form) 
Subject(s) O Arrested O Located O Identified 


(Forward photo of Subject arrested with this Reply form) 
Witness(es) O Located C] Identified 
New Witness(es) © Located OF Identified 
BUSINESS(ES): (Enter total number applicable to each of the following) 


New Business(es) Identified 


New Business Associates/Associations Identified 
Financial Audit Trail(s) Enhanced 
ASSET(S): (Enter total number applicable to each of the following) 
(TYPES: C = CASE R = REAL PROPERTY P = PERSONAL PROPERTY) 


Asset(s) 0 Located O Identified [VALUE: TYPE: 
Asset(s) Subject to Seizure/Forfeiture [VALUE: TYPE: 
Potential Economic Loss Prevented [VALUE: TYPE: 


OTHER: (Enter total number applicable to each of the following) 
New Lead{s) Generated 


New Case(s) Initiated 
COMMENTS: 
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(12/3 1/1995) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 01/24/1999 


To: New York Attn: sat 


From: Butte ITC 
Investigative Information Services Center (IISC) 
Contact: [—sdYSL"C#X06 - 496 -3 8.05 


Case 1p #: [1] _ (Pending) 


Title: 
BUTTE REQUEST 189833 


Synopsis: Results of database searches conducted by IISC. 


Enclosures: Attached are copies of printouts setting forth 
results of inquiries conducted by IISC and a Reply Form. 


Details: Drivers license search located record 
sense L listing an address of 


Social Security search using name and address_from 


drivers license located Soci ity Account number[ 
[jas being associated to Most current address 
listed is 


No criminal history record located. 


b6 
b7C 


To: New York From: Butte ITC 


bT7E 


LEAD (s): 
Set Lead 1: 
NEW YORK 
AT NEW YORK 
Complete and return Reply Form to Butte ITC. 
+4 


Ty 
iP 


Jan-21-S9 16:49 


‘ Zz ; 
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INVESTIGATIVE INFORMATION REQUEST FORM ITC Use Only: BITC Record / BIRR 
Date/Time In: ~Al O am 0 pm 

FBI, Bulle is! rination Technology Center Date/Time Gut: _ 7/2) ISCO am O pm 

400 North Minis wt Buon Als . Database(s) Used: 

Butts, Mutta.: 2 4? 1 ; 
> Commercial Telephony slip + Eo si 2. 
> FTS: (406) 782-2304 FAA. arse, T82-SO4, 782-9507 & 782-7418 4 b3 
> Secure FAX & STU ill. £405! 2-204, Ft. 20 Handled By: eee b6 
TO: FBI, BUTTE INFORRIA)° is TECHNOLOGY CENTER eae 
Date: b-obe 44 ets 
Forfeiture/Seizure feittecd: C1 Type of Request: Mf RAX O Telcal Ol Mail Reply: hf FAX (1 Telcal 0 Mail 
Requestor:. Sil er _. ., Phoue #: 214° 384-3188 PAX #: _21A- 384-4666 UCEN: 

Range: © lo. ops edh 
OfficetRA: _Aleu) — ie eal tenia 32S, Precedence: S{ ROUTINE OI PRIORITY [) IMMEDIATE 

Approximate: tumaround (48 brs) (24 hrs) (2 hrs) 


ditional sheets if necessary) 


bie eee aclachitd 2 atu PALS Middle: 
Sex: F DOBI: DOR2: Lf oe 


a8 eed : > - Spouse: 


Pyro ane” Lice SOS ff: State: 


Namie - Last: 
Alias: 


“eo 
te 


Fugitive: [ Yes 


RESIDENCE 


BUSINESS 
Business Name: eee «Street Address: 
City/State: : vat es a Phone: Business ID#: 
CHECK DESIRED - 4: CHARIETERS (Please check only those that are needed) 
1. Specific aa bd ii his 


C2. Determine Ali i bs ree with Social Security Number(s) 
(43. Report Validity a as ee - Number 

O 4, Determine Wie ts Access at witht Asie onene Number(s) 

0 5. Determine Address e neswlPerson {0 LLS. Z ; State(s)) 

CO) 6. Determine Property Owisst hy sadividual ( _ULS. ; ; State(s)) 

0 7. Determine Who C2. Peoperty Listed Above — ~ 

O 8, Determine Who Reselss ot Address Listed Above 

O 9. Determine Pinancis' eck ee info, i.e., Bankruptcy, Judgements, Liens, UCC filings, or Lawsuits * 
O 10. Determiny Cx rporat Husiness Tofo, t.e., Officer, Director, Registered Agent 


~ 


OC If. Customs Borcer « resings i Subject query / T- 34 info (circle one} 
C3 12. Federal Prison facies feeerinafion 
13. Telemarketing oe. 


(Person/Business) 


Nyy Fram: KBE, Butte Infonnation Technology Center (BITC) © 
“Returs Reply Vo: - : : : . aaa 4 Pe 5 oF 
SACL a. Oat Sect a e : * 


asd on sectreh criteria, marked records are eek 7 
f as. We Weatifiable Records * - ’ OD Brief Synopsis of Information Found 
1. .xher Poripheral Information OO. No Information Found 


a 


ci REPLY @ -~_ INVESTIGATIVE INFORMAGDS SERVICES 


To help us better serve your investigative needs, please complete 
and return to: 


FBI, Butte Information Technology Center 
400 Main Street, Room #115 
Butte, Montana 59701 


SIESS b3 
BUTTE ITC : UCFN b6 
ANALYST: SUBJECTT — b7Cc 


Was the information provided helpful to your investigation? 0 YES © No 
If NO, please let us know how we could be more helpful to your 
investigation: 


ACCOMPLISHMENT (S) resulting from information: 
PERSON(S): (Enter total number applicable to each of the following) 


FBI Fugitive(s) Arrested: () FBI O Local Date 
(Forward photo of Fugitive arrested with this Reply form) 

Local Fugitive(s) Arrested: O FBI O Local Date 
(Forward photo of Fugitive arrested with this Reply form) 


Subject(s) Ol Arrested O Located O Identified 
(Forward photo of Subject arrested with this Reply form) 
Witness(es) O Located [ Identified 
New Witness(es) 0 Located OF Identified 
BUSINESS (ES): (Enter total number applicable to each of the following) 


New Business(es) Identified 


New Business Associates/Associations Identified 
Financial Audit Trail(s) Enhanced 
ASSET(S): (Enter total number applicable to each of the following) 
(TYPES: C = CASH R = REAL PROPERTY P = PERSONAL PROPERTY) 
Asset(s) O Located Identified [{VALUE: TYPE: ] 
Asset(s) Subject to Seizure/Forfeiture [VALUE: TYPE: } 


Potential Economic Loss Prevented [VALUE: TYPE: } 
OTHER: (Enter total number applicable to each of the following) 
New Case(s) Initiated New Lead({s) Generated 


COMMENTS: 
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FBI - New York 


From: b6 
Sent: b7Cc 
To: hie 
Ce: 

Subject: - Hacking for Girlies and FB] news 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 01/04/99 


was interviewed at his place of employment. 
After being advised of the identity of the interviewing agent and 
the nature of the interview, he provided the following 


information: 


Learned from 
employee, that a hacker known as claimed it for 
New York Times (NYT) hack. A couple of \weeks ister, bo] was 
telling people that were responsible 
the NYT hack. 


uses the alia on Rc. Ld 


Was a member of HACKING FOR 
heard that[ ss told others[__] 


heard a rumor on IRC that 
GIRLIES (HFG). 


During the summer of 1998, performed an 
authorized network scan against as a business deal. 


user accounts on 
that they beta tested different security softw 


i 


Investigation on 01/04/99 at 
Fite #| | ‘ Date dictated 01/04/1999 
by SA | | pu 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: PRIORITY 


Date: 12/08/1998 


To: FBIHQ ‘Attn: CART Unit 


From: New York 
C-37 


Approved By: [___ 
Drafted By: [__ 
Case ID #: [__ (Pending) 


Title: HACKING FOR GIRLIES; 
VICTIM - NEW YORK TIMES; 
CITA; 
OO: NY 


Synopsis: Request CART Headquarters assistance, for search on 
Wednesday December 16, 1998, and follow-up examination. 


Enclosures: (1) Color photocopy of computers to be examined. 


Details: On Wednesda December 16, 1998 
be executed at 


a search warrant will 


is believed to be associated with the 


hacking group “Hacking For Girlies” (HFG) 


. HFG is responsible 


for hacking the New York Times web page on September 13, 1998. 


oroperl 


Ld Furthermore, it is requested that] id 
ee ed 


At 


the present time, it is anticipated that the search will begin 
the morning of December 16, 1998. Case agents [ 
(212) 384-3187 and[_____] (212) 384-4506, will provide an 


operations order with exact search time, 
area. 
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location and staging 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 12/08/1998 
To: New York Attn: A/asac{ 
FMU - NYO 
From: New York 
C-37 
Contact: ext. 4506 
Approved By: : ; b3 
b6 
; b7C 
Drafted By: b7E 


Case ID #: [ (Pending) 


Title: HACKING FOR GIRLIES; 


VICTIM - NEW YORK TIMES; 
CITA; 
OO : NY ! 


Synopsis: Request approval to pay for rental car expenses to be 
‘incurred by sA[__|during travel tol b6 
b7C 


Details: SA[___]was approved for travel to the[ division 
for the purposes of obtaining and executing a search warrant of 
(2) premises, one of which is occupied by[ | who are 
members of Hacking For Girlies (HFG), a computer hacker group, 


and the other of which is computers belonging to one of the 
subjects | | HFG has claimed 
responsibility for obtaining unauthorized access and replacing 
the New York Times web page on September 13, 1998. 


In order to conduct the necessary travel involved, 
including surveillance of location to be searched, travel to the 
US Attorney’s offices, FBI office, and other relevant locations, 
it is necessary that SA[__]have ready access to a vehicle. FBI b6 
does not have a spa icle for this purpose. It is b7c 
therefore requested that 2 (ea approval to rent a car 
during captioned travel. 


Wither; 
Win 
BY 

DATE 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 12/17/98 


bé 
work telephone, aie 


after being advised of the identities of the 
interviewing agents, provided the following information: 


and works Be 
in the He has been BAe 


with the i i 1997. __ jis 


tools. The is physically located in 


prefers to remain in 


never used soci 
‘one other than 


All of [| ties with the hacker community were b6 
severed in approximately[_| after Bee 
ea of years ago had contact_with 
| someone who went by the name real name 
Ld 


(phonetic). 


[jusea i camel oy. when he was_involived in 
the cracker community. now goes by the name [ears ae) when 


online. The only reason L4 one wou Kd use a handle would be to 
remain anonymous, and he has no reason to do that now. does 
not have a computer at home, and has not since does 
have a workstation at[__Jand can access the Internet with this 
workstation. 


was aware of the New York Times hack only by a 
c 


N 


reading. a “ZDNet” (an on-line news publication), article on the 

boc ce never heard of the group “hacking for girlies”, 
rove" aiid ‘stated that times must have changed since he used to hack, 
because girls were never into hacking.[_] cited the IBM 
commercial in. which a girl is portayed as a hacker, and stated 
that the scenario was not realistic because a female would never 
‘be present in that situation. To his knowledge, [[__]|has never 


. ES oy OF 
RN 4 wo + ten od 


Investigation on 12/16/98 at | | b3 
File # | Date dictated b7c 
Oe | 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


a ue we ee Le 7 


FD-302a (Rev. 10-6-95) 


Continuation of FD-302 of | | , On 12 ri 06 / 98 , Page 


been to the New York Times web site, unless he clicked on a link 
to an article, which would have automatically taken him to the 
site.[__| stated that he would have immediately left the site 
because it prompts for a username and password, and he has never 
signed up for their service. 


but the name 
then remembered that 
and that he was familiar 


with him because he may have electronically mailed (e-mailed) 
[with a request ef work for the 
company. This request came about 4 or 5 months ago. | 


declined the _request, but did suggest a eater that{ could 


has never heard of 
sounded familiar. 


use in their project. stated that these e- 
mails were the extent of his contact with does not 
know 


has “made a 180 degree turn” from_his hacking 
days, and now he doesn’t even like hackers. When[___]| was 
involved in hacking, he did it only for the “intellectual 
pursuit”, never for political reasons.[__]has never used the 


screen name and does not know_anyone who does.[[___] does 
not know anyone who goes by the hohe (sey 


[__juses a “sniffer” (a program intended to capture 
all data traffic on a computer network) at work, but only on 
systems that he is authorized to use, and only for legitimate 
business purposes. He used to use a_ sniffer as a hacker, which 
enabled him to among other 
things, on compromised networks. has never written a 
sniffer, and stated that there would be no need to, as sniffers 
are publicly available.[____] used a sniffer written b 

hacker who went by the name 
remembered naming the sniffer that he would install ona 
compromised system 


in an attempt to conceal it 
never stored his logs in a file 
nor has he heard of anyone 


from system administrators. 
or directory called 
using that name. 
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[_Jhas not heard of “The_Well”, but stated _“EchoNYC” 
sounded familiar. [_Jhas heard of and_knows 


a technical support employee at has never 


hacked remembered hacking a web site in 1993 or 
1994, in order to In 
with the help of another hacker known as 


remembered 
ut never remembered 


mentor and associ 
Shared all of their tools and exploits. 


as a dangerous individual who was loud, 
violent, and obsessed with serial killers. was truly a 
genius, and was writing packet sniffers only a week_after 
identified as 


learning the computer lanquage C. 
who lived in near 
last communication with was in 


September, 1994. 


| also_knew hacker known as in 
approximately 1994. real name is 
nose narenkay tive in heard that 


[| does not know 
f her. He knows who 


gaining access to 


nor has he ever 
is, and stated that he 


heard o 


| concluded by saying that the Internet is 
different from what it was when he was a hacker, and described it 
as very broad, and taking many different directions. He stated 
that the group “hacking for kiddies, or whatever they call 
themselves” is probably just going through a phase, and that they 
will outgrow this activity, much like[ | himse1é has done. 
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Date of transcription 


telephones 
was contactled during a search @f his premises. After 
being interviewed about certain aspects of the facts of this 
investigation, nd the agents engaded in conversation 
about the circumstances’ providing indications of 

involvement in the HACKERS FOR GIRLIES (HFG) Group. 

provided information which included the following: 


[was shown an issué of FORBES Magp2ine that was 


found during the search of his apartment. stated that he 
was familiar with an article in that magazine about the HFG hack 
of the website of the NEW YORK TIMES (NYT). [attention 
was drawn towards the photographic image of a woman that appeared 
in the article. Specifically, the article shows a copy of what 
the HFG group replaced the NYT’s website with during the hack. 
The HFG group replaced the NYT website with the letters “HFG” 

and the “H” contained the photograph being discussed with 


[____|stated that he did not recognize the photograph as being 
the same as one found on the website a) 


again acknowledged that_he had met with the 

FORBES reporter who wrote this article, 
visit that[___———sd| had made to 

had only come to visit him in z 
admitted that he picked upl_____——=sdJwhen he arrived that day at 
the airport, and brought him back to the airport that same day 
when he departed. [Isai he was ea = dene full 
time that he was in with the exception of those moments 
when[____—sdbwass “in the_bathroom”. said that the only 
apartment that he brought[_____— to in was the one in 
which this interview and search were taking place. 


[_] acknowledged that the circumstances he was 
describing, and the information contained in the FORBES article 


made it “look bad” for him. b7c 
| b7E- 
[_____]continued to deny that he was a member of HFG, | 


12/16/98 


Investigation on 


Lares 


“ mg 
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that he had participated in the hack of the NYT website, and that 
the “condo” described in the FORBES article was the same dwelling 
as the one he was currently in. 


[—sJagain admitted that he used the name[ 


in his computer activities. [____]stated that_if the 
evidentiary trial in the NYT hack led to his account, 
he would assert that it must have been because 1S account was 
compromised by other hackers. 


said he had spent about 15 minutes explaining to 
Se ere overflow” was in layman’s terms. He 
also pointed out that he explained some of the features_of the 
computer software known as “Tripwire”. When asked why 


didn’t just provide this information via telephone to 
did not have an explanation. 


During the discussion with the Agents,L___] 


acknowledged being familiar with the FBI’s investigation of 
ae and others. He was interested in 
knowing whether it was true that the FBI would not investigate 
crimes unless the damage involved exceeded $10,000. ae 
wanted to know whether the NYT had calculated the damage to their 
system because of the HFG hack, and whether that figure was 
public information. was also interested in knowing how 
the Federal Sentencing Guidelines worked. 


As the Agents were departing residence, SSA 
[_] commented 7 al that, as could see, no evidence 
being seized pursuant to the search warrant had been “planted” 
by the FBI. Upon hearing this,L shot back that while 

he didn’t think that these Agents had planted evidence, he 
wasn’t sure about the “eighteenth” Agent he might encounter. 
ssa[ was not present to hear that exchange. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 12/09/1998 


To: [| Attn: SSA b6 
FBIHO Attn: SSA NIPC b7C 
New York Attn: A/ASAC wcc 


From: New York 
C=37 


Contact: sAL | x3187 


Gonzalez Vict 


Approved By: 


Drafted By: 
Case ID #: [———=éd:Cs (Pending) b3 
b7E 

Title: HACKING FOR GIRLIES; 

VICTIM - NEW YORK TIMES; 

CITA; 

00:NY (2 
Synopsis: The purposes of this EC are to: (1) document } 
concurrence of SAC and SAC New York (Div II) for travel b6 
by New York SAs to Division for execution of search b7c 
warrants and interviews of members of “HACKING FOR GIRLIES” 
group; (2) request assistance from Division to swear out 
and execute search warrants in. on 12/6/98; (2) request hersecl 
travel approval by SAC New, York for three SAs and ®we SSAs to beck te 
conduct investigation inf-__]lon this complex and high- profile , SSAs 
investigation. , 


Details: Captioned matter concerns an attack that took place on 
September 13, 1998 against a computer owned and operated by the 
New York Times newspaper establishment. The computer that was 
victimized houses the computer files and code for the New York 
Times internet webpage and its related on-line services. The 
attack gave the subjects unauthorized access to the New York 
Times computer (in violation of Title 18 USC Section 1030), and 
that unauthorized access was used to take down the true NY Times 
webpage and replace it with graphic images and text installed by 
the hackers. 


The images installed were mildly pornographic and bore 
the initials “HFG”, of the subject group “HACKING FOR GIRLIES”. 
The text that was installed contained a diatribe against NY Times 
reporter and others who had covered he 
While this was embarrassing “to ‘the NY Times, the 
aspect during the time that the attack was success SNE 
readers of the NY Times on-line website were depriVGy. 
service. UPLOADED ‘t 

WITH/TEXT._ oy 

WITH/O 

BY 


ape mee ee 


To: From: New York © 
Re: 12/09/1998 


The investigation by sas[__ana[__] 
[__Jhas been intensive and exhaustive since that date Through 
technical analysis of computerized forensic evidence, personal 
interviews, and source information, the investigative trail has 
led to ee OS Through the valuable 
assistance of SAs in the office, several possible 
subjects have been identified and located, along with the 
locations of computers holding data relevant to the case. 


The investigative strategy is to have eS 
Cantrevel to[__|Division on 12/13/98 so as to have 12/14 and 
12/15 to prepare the execution of the search warrants on 
12/16/98. During the 14th and 15th, the 27 page affidavit 
prepared by these SAs will be presented to a local Federal 
Magistrate in support of an application for search warrants. 


One search warrant will be served on 


authorize the Agents to seize 
computerized data relevant to'the NY Times hack and will require 
CART assistance (to be provided by FBIHQ). 


Another search warrant will be executed at 
This is the residence 
of possible subjects white male, approximatel 
years of age, and white male, approximately 
ears of age. It is anticipated that approximatel 
ee will be seized pursuant to the warrant at that 
location with CART assistance (to be provided by FBIHQ). During 
the execution of the search warrant, efforts will be made to 
thoroughly interview Jand[[__ separately, using the 
combined skills of a senior SSA or SA and a technically 
proficient computer crime SA for éach interview. 


Discussions with ssal_____] an indicated that 
sac[__]concurs with travel ‘by’ NY personnel. The division does 
not have experienced SA personnel with computer training who 


could be available to conduct or assist in these interviews. The 
NYO has identified the following personnel, in addition to SAs 
and[_ | who have relevant experience and_an 
understanding of the facts of the case: sat SSA 
and SSA It is planned that SA 

and and would travel ts a Pe 12/15 
for participation in interviews’ on 12/16. Return travel would 
occur on 12/17. 


A third possible subject of this case is 


[_ |} white male, approximatel ears of age, believed to 
reside at While there 
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To: From: New York 
Re: 12/09/1998 


is no probable cause to ea a search of[___j residence, it 


is very important that be intervi bout_this matter 
simultaneously with the interviews of and 
because (Ge believed to be a member of HFG. SA is an 


SA with three years in the FBI, has obtained convictions in 
computer crimes investigations and_is CART certified. He, along 
with another agent will interview 


FBI New York wishes to express its appreciation to the 
[ss Division for their continued assistance in this case. 
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LEAD (s): 


Set Lead 1: 


= 
ar 


Provide assistance by designating an agent(s) to 
participate in the swearing out of aforementioned search 
warrants, and their execution on 12/16/98. Please advise NY 
whether any Bucars and HTs can be provided for transportation and 
communication assistance. 


+¢ 


From the Desk Of: 


AIASAC 
WHITE COLLAR CRIME BRANCH 
DIVISION 2 - BRANCH "2" 
x2802 
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ADIC __acssAL_{cs) 


SAC GONZALEZ 
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Date [- Ze 


] 8irth [_] Credit 7) Criminal ["] Death [7] INS [(] Marriage* [7] Motor Vehicle [(] Other 
iS 


To OPC Buded 
Return_toa File number 
ext 
nl LO ee If 


ane ana aula Sppttcant, or employee, and spouse b7c 


ya b7E 


Addresses 
Residence 


Business 


Former 


*Date and place of marriage 
(if applicable) 


Race Sex Height Weight Hair Eyes 
= [_] Male 
White pa 


Birth date Birthplace 
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Arrest Number Fingerprint classification Criminal specialty 


Social Security Number Drivers Licensé Number 


[J st Photo C] Other 


Specific information desired 
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Two pages to follow 


8 Please deliver ta: [sd 


Fax number: 212-384-4660 


From: he New York Times 
Tel: 


Date: January 28, 1998 
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at his residence 
After being advised o Vv 
the nature of the interview, he provided the following 


information: 


In the early part of 1998, 
an Internet Service Provider in 
worked alone as a 


the interviewing agent and 


department. After learnin warked[__] 
security department about hacker background Asa 
result, sent an employee from their security department to 

to watch toe a couple weeks. was 
the security department employee sent to watch 
Seiveyedie ree long time we 


employee about his hacking and exploits. 


supervisor at the time, put a fniffer on computer fo 

approximately four days. a computer IP address was 
and the DNS add a The 

snitfter logs showed esa ising numerous computers. 


list of the compromised compute) 
| addition, the_sniffer captured an email between 


Around December 1997, [____] bra 


fT tphy, | The email direct 
#hackL___————sidf and change|L_____| routing tables. 


| analyze the logs. After reviewing the logs, 
6 the victims to notify them that their computer’s had been 


gectprons sed. 


i intrusi ie from 


WITH/OUTTEXE 


Investigation _ 01/24/99 sat | C—“‘“‘“‘;S™SC*C‘idC 
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According to the sniffer hogs | | commonly launched 


2 | ______] Once @ computer was compromised, [| 


b6 
b7C 


b6 
b7C 


b6 
b7C 
b7E 


b3 
b6 
b7C 


7 | | 7 
Seen 


FD-302a (Rev. 10-6-95) 


Ld 


Continuation of FD-302 of | | ,On 01/24/99 , Page 


read email and greped for 


Yexploit”. In addition 


“security”, 


heard recentl 


eee 


2 


b3 
b7E 


b6 
b7c 
b7E 


| : @ 
FD-302 (Rev. 10-6-95) 7 $ 


S45 


FEDERAL BUREAU OF INVESTIGATION eS 


Latta ba ieata ee 


2 sTdénde 
during the execution of a search warrant on the above referenced 4 
address. Supervisory Special Agent (SSA) was 
present during the search and much of the interview. After being 
advised of the identity of the interviewing agents and the nature 
of the interview, he provided the following information: 


During the early morning hours of September 13, 1998, 
[jwas in his bedroom using his computer to Internet Relay 


email ‘on his webpage at . b3 
couldn't recall the exact time, but b6 
acknowledged that he was online all night until around 8 or 9 am b7c 
that morning. eet ee ee ISP) dial-up account, 
but could not recall the account _or user id. [____]advised he 
no longer used the account. had multiple sessions open 
and received an email message from The message 
indicated the New York Times website ha een hacked. [| 
immediately went to the New York Times website (www.nytimes.com) 
to verify the hack. Five to ten minutes coo pee the 
il to the[-______] A few minutes later, 
he New York Times webpage and saw the corrected 
did not view the website again that day. 
was sleeping in his own room during the early moe a a, 
September 13, 1998. 
* Upon viewing the hacked-_page [| saw the HACKING b6é 
FOR GIRLIES (HFG) hacked page. laughed when he saw the bic 


HFG hacked page because the victim was the New York Times. 

was amused because millions of people rely on the ‘New York 
Times for their news. [_____]was surprised that a website like 
the New York Times had not been hacked earlier.. L___Shad,.: a 
discussed the_subversion of information theory’ with others ‘on IRC 
many times. [| followed the New York Tite's hack closely 
because he needed to be aware of new exploits and vulnerabilities 
used by hackers. The New York Times was a big website and was . . 
considered one of the ten most secured sites about two years ago. 
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| = (as Fraadmitted he had hacked in the past, 
fs et enn wn ee an ee ee ee U : 
| Cd aadvised he had retired from hacking} 


knew HFG was a hacking group that had hacked 

Rt66.com, NASA, MOTOROLA, PHRACK, New York Times, and others. 

HFG was unique because they embedded text comments yinto the HTML 
code of the hacked_pages. denied he or 
members of HFG. denied ever cal 
believed HFG member 
the same hacker that used_the alias 
years ago. 


a couple 


via email. 


was asked by ssaL___ Jit his apartment was the 
apartment described in the HFG article in FORBES dated 11/16/98. 
[eo ereeea that he did not want to_answer the question because 
he could incriminate himself. Later, [denied that_his 
residence was the residence described in the article. 
advised the article mentioned a condominium, but his residence 
was an apartment. 


met[————S—S—C— | FORBES reporter, online 
about a year and a half ago and helped with technical 
aspects in past hacking articles. asked[_ sd to help 
h a story about came to 

residence to get’ help with technical aspects regarding 
the HFG article that he was writing. During the three hour 
explained buffer overflows and Tripwire to 
After the meeting at around 4:30 pm_or 5:00 pm 
and[_____'| had_dinner at 
After dinner, [L__Jand returned to 
residence. took a_nap while watched TV. A few 
hours later, do ee the airport. [ 
took a flight back to New York. 
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met at DEFCON IV or V. 
and discussed starting a computer security/intrusion 
company. At the time was not interested because he had 


a good job working at as a computer 

security consultant. Around March 1998 was laid off from 
and had no other job offers. then 

decided to start the_computer security/intrusion company they had 


discussed earlier. to 


provided $50,000 as 
start-up capital. id not contribute any start-up 

capital. haa no business for the first five months, but it 
was starting to pick up. In November 1998, L______—iran out of ; 
money and as a vogue |< = i] tea not been paid one or two 
paychecks. 


[| duties at include maintaining the bug 
and exploit database, assisting | anal eke 


client’s technical questions, assisting in developing SECURE 
REMOTE STREAMING software (SRS), and _maintaini 
clients_include 


and others cou not recall. 
[| stated he “hated[ Yt because[__ 
had slandered and libeled him. A few years ago accused 


of hacking 
ofrered|.__—i if 


fired from every “job he 
admitted to callin a 
«ee had held 
he would have gone to 


her recent press conference in 
harass her. 


[| characterized(——S—S—S—as an awful reporter 
whose. stories about hacking were technically inaccurate. 
stated that(L____———sdi’s ist book "set him off". 


was 


exploiting the hacker hype and_his coverage of was 
tacky. ae did not like[_ J exploiting to make 
money. _The media was hyping and sensationalizing the 


case. was a criminal, who broke the law and_deserved to 
be caught. felt the Government was treating 
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unfairly because he had 
met b6 
when co-locate Sirpcomputers a bic 
described as a nice guy who was technically competent, and 
who knew a lot about Berkeley Software Design (BSD). and 
one out socially to dinner. 
a system _administrator for On. 
another occasion, and came to residence and 
hungjout for a few hours nal | and 
Last year met be 
at the USENIX (ph) computer security conference. was bic 
rumored to be a real good hacker that had retired from hacking. 
talks col] on a regular basis. [| last contact 
wifh was_approximately three weeks ago. During their last 
co versation, [| was depressed that he might lose his job and 
ajfgirl he really liked had rejected him. [4 ctten calls 
looking for moral_support and encouragement. told 
he’s lonely in and felt that (ph) 
deserted him when moved to 
[| have gone out to dinner and then to 
several times. A few months ago, spent an afternoon at 
residence. On that occasion, and talked 
about Intrusion Detection Systems and other computer_security 
issues. [___]| communicates with thru IRC. uses a. 
different alias every time he IRC. Last summer, 
took[(__]to dinner. At _dinner, they 
discussed bugs and other technical problems was having 
with its SECURE REMOTE STREAMING (SRS) software. The purpose of 
the dinner was to get assistance on possible patches for 
the SRS software. 
met bé6 
b7C 


after moving to 


system administrator res ont or securing the 
server and desqribed[ 4 a big crypto (encryption 


guy. 
lives in but visits frequently. 
brings a la with him when he visits. created graphics 
for Omain as well_as webpage at 


idn’'t think[_] was a member_of HFG, 
mirrored the HFG hacks on his webpage. sent 


because 
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a tar file that contained all the HFG hacks. [| could 
not recall why[ | sent the file to him. 


a.k.a. 
moved from to to live with 
together for approximately one and a half years. 


and works as a system administrator for 
had on his webpage. 


created many of the graphics that 
i had not talked to 
Since July 1998. 


Approximately three months before movin toL___s| 
met eS on_IRC. [_Jena>__ discussed 


working a Lars gr a high school. 
Before ae et went to for a week. _The 
purpose of the trip was to meet and see if he and 


were compatible roommates. oath] after + ef 
moved from[_ si to live withP J 


[jis proficient with the Linux and _—_ 
operating systems. os frequently uses his laptop computer 
which contains information about all of his accounts. 
advised the laptop contained encrypted files. SA 

for the encryption password, but [[__] refused. 
advised that he wasn’t sure what was in the encrypted files and 


that he wanted_to prrtect himself. [— | has numerous shell 


on IRC. 
They lived 
lives in 


asked 


accounts. login/user id to his shell accounts is 
The only exception is shell account at 
user id is 
uses the account to subscribe to mailing Tist so he can 


monitor what [sis saying about him. 


[|] denied having two social security numbers. 
advised there was another[L__———s—C] Who. Lived inn 
stated that he recently dropped his middle name 
from his credit report. denied changing the name on his 
credit report to advised that the credit 


card representative may have misheard him when he was dropping 

his middle name. [~~~] never lived ae 

PT SSCSSCSCS™SCSidr had any contact with the residents 
1 . 5) 
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inistrator at 
introduce to his bosses at 
convinced his bosses to test the SRS software. 


hangs out in 
— female IRC friends include 


He 


and 
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To: b6 
(Info) Attn: MMOC, Squad 19 “-b7Cc 


L | (nfo) 


New York 
(Info) oar 


From: National Security 
CIU/CIOS/NIPC 


INTRUS = SYSTEMS ; 


Synopsis: Dissemination of source information concerning 
captioned subject. 


b7C 
Approved By: [__ - 
Case ID #: b3 
. b7E 
Title: b6 
b7C 


Details: Reference[ __—s«J EC to National Security [, i! 


dated 12/28/1998. 


For information of receiving offices, 
advised the National Infrastructure Protection Center (NIPC) of 
source information obtained on 12/01/1998, concerning the 

i WW 


captioned subject, identified as a com 
living in[ Tg 


i 
* % 


To: @.. National Security © 


Re: 01/29/1999 
‘ ' . . e 1 b3 
The source provided the following information pertaining b6 
to the captioned subject: b7c 
b7D 
b7E 
b6 
b7C 
b7D 
The source received this information from 
The following is information 
pertaining to respectively: 
b6 
b7C 
b7D 


@.. National Security @ 
/29/1999 


The receiving offices were identified through a subject 
name search using FBI/ACS and this information is being provided 
for information purposes for whatever action deemed appropriate. 


Information provided | a ee whereas the captioned 
sublect reportedly resides within the [ _]Division = 


The source expressed concern relating to the disclosure 
of their identity in relation to investigations of the captioned 
subject and any further questions pertaining to this information 
should be directed to the Division, MMOC, Squad 19, SA 
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Vitcom: New York b7C 
C-37 bTE 
Contact: SAL —S——CC_C2.12..384.3187 Cl 
Approved By: [7] 
| 
Case ID #: [ (Pending) 
Title: HFG -HACKERS FOR GIRLS 
Et al. 
NEW YORK TIMES - VICTIM 
CITA; 
00: NY 
Synopsis: To set a lead to deliver a 2703(d) court order. 
Reference: Telephone call between sa[_______ijJand sat bé6 
“ b7C 
Enclosures: 2703(d)Court Order[—_] issued in the Southern b7E 


District of New York SDNY. 


Details: 


On 02/03/98, a 2703(d) was issued for 


expecting the order. 


7 


To: From S New York & b3 
Re: 02/03/1999 b6 
b7C 
b7E 
LEAD (8s): 
Set Lead 1: 
b7c 


Hand deliver the enclosed 2703(d) Court Order 
issued in the Southern District of New York (SDNY) to 
at the following address: 
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Attn: SA 
Attn: SA 
Attn: SA 


rom: New York a 
C-37 pS 


Contact: sal 212-384-3187 a 


b7Cc 
approved By: [ met 


Drafted By: 


Case ID #: ding) 


Title: HACKING FOR GIRLIES; 
et al.; 
New York Times - Victim 
CITA 
OO: NY 


Interview female associates of 


Synopsis: 


b6 
b7C 


Enclosures: 


hb terres article; DMV photo off "bE 


awa. bic 


-Forbes articlé; two photos of [ 
Lo alka: 
-Forbes article; five photos of[ 
a.k.a. 


Details: On the morning of September 13, 1998, the New York 
Times website (www.nytimes.com) was hacked by a group known as 
HACKING FOR GIRLIES (HFG). The hackers altered the NY TIMES 
website with a webpage containing various text messages and 


raphic images. On the hacked page, the text ridiculed b6 
a NY Times reporter and b7c 
As a result, the NY Times took their main web 
servers off-line for approximately nine hours. Other parts of 


the website were down approximately a week. HFG has claimed 
responsibility for hacking the New York Times, NASA-Jet 
Propulsich Labs, MOTOROLA, PENTHOUSE, ELITEHACKERS.ORG and 
RT66 .COM. 


Abr ey Orn 


To: From: ®. York @ 
Re: 01/19/1999 


On 12/16/98, search warrants were executed in the 
division on residence and 


live together and_work for 


and[ were both interviewed about their 
involvement with HFG and the New York Times hack. and 
denied being members of HFG. However admitted 


e was interviewed in eT FORBES reporter, 
also stated he “hated”([_ sid and 


for the HFG article. 


that[(______] was exploiting for his own personal 
monetary gain. Additionali Ta the ee 
[i «=6As the has_a history o 
critiquing the media’s coverage o pl —Ihas a website . 
pe eras sa about his hatred for 


As a result of the interviews and other evidence, 

were identified as close personal 
communicates with them 
or email on a daily basis. 
During the interview was extremely nervous talking about 
his female friends. may have confided with one of females 
regarding his involvement in HFG or the New York Times hack in 
order to impress them. 


friends of 
on Internet Relay Chat 
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To: From: “New York © 
Re: 01/19/1999 


LEAD (s): 


Set Lead 1: 


arf] 


Interview 
Social Security Number 


about any knowledge she may have regarding 
and ast hacking activities, the New York 
Times hack and HFG. has no criminal history. 


Set Lead 2: 


a 


Interview a.k.a. DOB 
Social Security Number 


ee any knowledge she may have 
regarding and | past hacking 
activities, the New York Times hack:and HFG. has no 
criminal history. 


Set Lead 3: 


Co 
ac 


Interview 
Social Security Number 


pop[_____ | 


v 
Driver’s License 
about any 


knowledge she may have regarding 
ast hacking activities, the New York Times hack and 
HFG. has no criminal history. ; 
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CR ITININTMME Feb. 8, 1999 


datcx__Us3pe-% 
Open letter to the hacking community: 


Last week, Steve Silberman of Wired News called to tell 
me he and I and some other journalists had been duped 
by a psuedo-hacker named Christian Valor, AKA se7en. In 


April 1998, I'd posted a piece on the Forbes Digital Tool Perens “ey 
web site about Valor's kiddie porn vigilantism and the fact 


that law enforcement knew what he was doing, but 
turned a blind eye. Cool story. Too bad it turned out not fas fm age 


+ Compkte Internet Privacy: 


ANONYMIZER 


to be true. 


I was certainly in good company. Steve also had written 
about Valor's exploits, as had Newsday, the Independent 
in London, etc. Both Steve and I received letters from 
se7en's ex-girlfriend simultaneously last week, but Steve 9 1 foboic 
got on to the story first. I was out of town. Sad to say, he suitimic 
and I were the only ones to respond to her letter. I told 
Steve I wouldn't post anything until his story hit. (See 
"Kid-Porn Vigilante Hacked Media"). 


Sigal rt 


— 
i 

7 = ened aA 

Cri SC 


I can't comment on how Steve or the Independent or 


Newsday conducted their research, but I would like to Recent News 
tig) Oper D share with all of you how I did mine, and what went HNN Store 
OpenBSD wrong. I'm sure there are lessons to be learned. Opens 


: se7en Exposed 
As you may or may not know, I am no stranger to taking 


on journalists I think have concocted stories out of thin Off the Hook 
air. I broke the Stephen Glass story, the associate editor [zeNasleksllans 
of The New Republic who made up a story on hackers and [ERR aweweer We 
was later discovered to have made up some three dozen [RaiRNER Teen 
stories for a number of well-known publications (See 
"Lies, damn lies and fiction"). I also took on Beth Piskora Ltp] domain 
of The New York Post, who I believe made up a sexy tech fxANEN 

story on Organized Crime setting up phony companies for BiKegihremtrr 
Y2K remediation, who then, she claims, inserted software Bis 

to divert money from bank accounts (read: clients) to 
mob-controlled accounts. (See "Phantom mobsters”). This 
canard was picked up by Vanity Fair in a recent feature 
on Y2K. Vanity Fair has yet to admit it published a lie. 


Today 
Yesterday 


02/09/99 
I hate it when you nail a journalist and instead of coming Wiepyfel:yiet) 


clean, he or she hides. This is what both Glass and 


telemem bomen AAR “Th bln verbs Then vasmibiman bhin natn 
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02/05/99 
For my story ( Kiddie porn vigilante) I knew I couldn't get [apy ¥er) 
on IRC and traffic in kiddie porn on a Forbes computer. 


You remember what happened to that journalist for NPR 
who did, and is now had to plead guilty to a felony all 
because he was ostensibly researching a story? So I 

relied on law enforcement, EHAP, and NAMBLA. I called 
literally 10 law enforcement officials who said they 
studied under Valor in one of his security courses. On the 
record, they would all vouch for se7en's hacking skills. Off 
the record, they all said they knew what he was doing but 
they didn't care. Everyone hates kiddie porn traffickers. 


I also talked to EHAP, and they told me they were 
distressed by se7en's actions, because it gave hackers a 
bad name. Se7en should turn them over to the cops or 
the ISPs, they said, not break the law in going after 
them. They didn't say he was a fraud. 


I also contacted NAMBLA through its web site. I asked if 
anyone knew a hacker named se7en, who was 
purportedly going after kiddie porn traffickers on IRC. I 
received a cryptic response, something along the lines of, 
"Yes, some of our members have been complaining about 
this guy. We just want to be left alone." End of 
conversation. He refused to turn over any other details. 


So I felt confident that with all this cross-checking that 
Valor was who he said he was. Obviously, I made a 
mistake. I think the most important lesson I learned is 
that law enforcement doesn¢t have a clue what really 
goes on in hacking circles; they are not good sources for 
this. I also now won't write a hacking story unless I can 
meet the hacker face-to-face and actually see evidence 
that I can then verify with other hackers or computer 
security experts I trust. This is how I approached my 
story for Forbes magazine on the NY Times hack that ran 
last fall (available online at: 

(http://www. forbes.com/forbes/98/1116/6211132a.htm). 


If you want to send me taunting email, telling me what a 
fool I was, feel free. I'm at apenenberg@forbes.com. But 
you can¢t possibly be harder on me than I've been on 
myself this past week. You live, you learn. 


Sincerely, 


Adam Penenberg 
Senior Editor, Forbes Magazine 
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bs AFTER THE HACK - °« 


ber 11, tens of thousands of people down- 


: loaded the Starr Report from the many : 


i Web sites that made the text available, giv 


i ing the new medium a sense of critical : 


i mass. And on September 13, hackers 


: Times, forcing editors to pull the plug on 


i the digital edition of the newspaper of | 


i record for nearly nine hours. Months after ; 


; the hack, lingering questions remain: Who 
: carried it out? Why? Who's vulnerable? 
i The apparent goal was to bring atten- 


Mitnick, the hacker underground’s 


i favorite martyr. For more than three ; 
? years Mitnick has been awaiting trial on : 


HSCKING 
Visitors bo The New York Times's Web site on September 13 got this on their computer screens. 


FOR 


‘a twenty-five-count federal indictment 


; ed crimes, from wire fraud to unautho- } 


: rized access to a federal computer. His 
i trialis scheduJed to begin April 20. 

: The “Free Kevin" crowd blames the 
i Times, particularly its San Francisco- 


: based technoiogy reporter John Markoi, ; 


: for causing Mitnick's arrest in 1995. 


: Some parts of the site, including the : 


; Markoff's stories in the Times led to a i 


! book, Takedown, which he co-wrote with j 


i 


i Tsutomu Shimomura, a California com- 


i puter security expert who helped the FBI : 
: capture Mitnick. Supporters of Mitnick / 
i think the book exaggerates his alleged : 


: crimes, And now the book is about to : 
: become a movie, to be released in 1999 : 


: by Miramax. 


rs 


= dain! the morning of September 13, 
the Internet demonstraied both : 
its massive strength and its 
scariest weakness. On Septer ; 


rnard Gwertzman, the site's editor, 


New York Times Electronic Media Co.. 


organizations as diverse as NASA, 


i Motorola, and Penthouse magazine. 

People logging into the Times site i 
found all this news unfit to print: a mildly : 
i obscene HFG logo, a rambling statement : 
: attacking Markoff for putting “Kevin” in : 
H i jail, and attacks on Shimomura, Matt | 
: tion to the case of jailed hacker Kevin 


Richtel (another Times tech reporter), 


GIRL132 


Happy Hacker. 


Times editors tried to publish over the : 
: vandalism, but the offending page kept : 
i reappearing. After a few hours they took ; 
i the site offline completely and began to | 
? comb through the Times's computers. | 


looking for ways to correct the problem. 


Times's archive files, remained offline for j 
several days as security consultants : 
: looked for evidence of other. more subtle : 
damage. Since the hackers had complete : 


control, might they have, for example. 


door” that would allow them to return? 


Richard Meislin, editor-in-chief of ! 


: continued to investigate, a Forbes : 
i reporter claimed to have succeeded : 
; where many others have failed: he found : 
i and interviewed two HFG members. : 
: who call themselves Slut Puppy and : 
i Master Pimp. The reporter was Adam | 
: Penenberg, best known for being the | 
i first to investigate one of Stephen Glass's ; 
fabricated New Republic stories. In the : 
: interview the two said they attacked the : 
: discovered that the entry page to the ! : 
Times site (www.nytimes.com) had been ; 
: replaced with a page built by HFG, for : 
“Hacking for Girlies.” This is a group that : 
i claims to have invaded the Web sites of 
: attacked the Web site of The New York | 


Times because they were “bored.” 


ther clues in the case point ten- : 
tatively in the direction of Brian : 
Martin, a Scottsdale, Arizona, : 
computer security consultant : 
: and a frequent source of Penenberg’s. : 
: Martin runs a computer security ; 
newsjetter, and was one of the first to : 
spread the word of the Times hack. Also ; 
known by the hacker name Jericho, 
Martin has a complicated grudge : 
against Meinel, the New Mexico writer, | 
: over credit he thought he was due in | 
; and Carolyn Meinel, a New Mexico com: : ; 
puter security consultant who writes ; 
about hacking for Scientific American ? 


her book. 


In an interview, Martin conceded that : 
he is certain that his name is on the : 
i FBI's list of suspects. He was also once : 
; widely suspected to be “Angry Johnny.” | 
a hacker who about two years ago. : 
harassed reporters —- Markoff included : 
— with email “bombs” (a technique of : 
overwhelming a target's e-mail account ; 
with thousands of messages). HFG. in : 
i the text of the statement it posted on the : 
: Times site, announced the enlistment of : 
a new member named Resentful : 


Jonathan. 


“Some people thought I was Angry ; 
: Johnny. As a result, they thought} was : 
: Resentful Jonathan after the New York : 
i Times hack,” Martin as “They were : 
i : and published a book on the subject, The : i 
: charging him with various hacking-reJat- : i 


incorrect on both.” 


Both the scheduled pees of Mitnick's : 
trial and the release of the movie based ; 
on Takedown could encourage further : 
hacking incidents, whether by HFG or : 
says John : 
Vranesevich, the nineteen-year-old | 
i founder of AntiOnline. a clearinghouse ! 
for news of the hacking scene | 


others. “It's inevitable,” 


(www. antionline.com). 


‘What can Web site managers do? : 
“Securing your site is not an event. it's a : 
process.” Vranesevich says. “New sys: ; 
: tem vulnerabilities are coming out every 
changed the text of old stories, purloined a : : 
file of credit card numbers, or left a “back } J dehl_ 
: Hesseldahl writes frequently about Inter- | 
As the FBI’s computer crimes unit : i 


, | 


day. It's a constant challenge.” 


net issues. 
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The Granny Hacker From Heck 
Tuesday, February 23, 1999 at 11:43:38 
by Carolyn Meinel - Writing For AntiOnline 


I sit in my home office, slaving over a hot computer. It's an 
NT server; next to it is an Indigo running Irix 6.2. Across the 
room is my Slackware box. They are linked by, ta, da! 
Ethernet. Two modems hum with TCP/IP over PPP. 


The AntiOnline WN 
To get the-latest'n: 
delivered:to-your it 
every day, justent 
e-mail address be 


I'm the grannie hacker from heck. Elite d00dz tremble before 
my wrath. You don't believe me? Check out this 
(http://www.attrition.org/slander/content.html). See? Some of 
the scene's most dreaded hackers and brilliant computer 
security experts are trembling before my awesome skillz as, 
so they say; I run around erasing the systems files of helpless 
hacker boxes. I'm talking about people such as admitted black 
hat 
(http://www.wired.com/news/news/culture/story/16872.html) 
Brian Martin, AKA jericho, trembling in his boots. You 
know, the computer security professional from Repent 
Security, Inc. (http://www.repsec.com) Come on, check this 
out (http://www.attrition.org/slander/content.html) and see 
how terrified he is of me! © 
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Heck, even some FBI agents think I've waged a war of 
naughty images plastered over the likes of the New York 
Times and PenthouseWeb sites -- that I'm the Hacking for 
Girliez gang. Don't believe me? Martin even has a sound bite 
on his Web site with me apparently confessing to their 
crimes! (http:/Avww.attrition.org/shame/www/admit.html) 


So how did I become the grannie hacker from heck? It all 
started in 1995 when I went to Def Con III. Being such a good 
housekeeper, I couldn't help but be the person who discovered 
a live phone line in the convention ballroom. Of course I 


sprawled out on the floor, plugged my laptop into the line and 


telneted into a shell account. Lo and behold, "Evil Pete" 
Shipley, leader of the Dis-Org gang 
(http://www.dis.org/déc‘html), strode over. He was quite a 
wonderment, with fangs’and spurs and lovely black hair 
flowing to his waist. He crouched down beside me and asked, 
"You got a telnet session going?” 


"Yup." 
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"May I borrow it for a minute? I need to do something at 
work." : 


That was when the naughty side of me took over, you know, 
the Mrs. Hyde thing. "Suurreee:)," I replied. I handed my 
laptop to him, then leaned over and clicked a function key. 


"What did you just do?" Evil Pete demanded. 


"T turned on logging." I tried to wipe the cat got the canary 
look off my face. 


"You tried to steal my password!" Evil Pete stood up and 
started shouting, to no.one in particular, "This woman tried to 
hack me! Bad hacker etiquette!" 


"Sheesh," I pouted. "It's my computer, I can run keystroke 
logging ifI wantto!" 


Maybe I was plum lucky. Full as that ballroom was with guys 
toting Miranda cards, not a single Fed rushed over to bust me. 
That was what really got me inspired. I could hack a big wig 
computer security fellow right in front of the Feds, and get 
away with it! The sense of power drove me mad, muhahaha.... 


Anyhow, that is how I got started persecuting the biggest and 
the baddest hackers and computer security experts on the 
planet. 


Recently the organizer of Rootfest (http://www.rootfest.org) 
kicked me off the program of his hacker con because Evil 
Pete had warned him that I had put out a special, secret Guide 
to (mostly) Harmless Hacking showing newbies how to hack 
Pete's dis.org domain: Pete-even showed him a copy of this 
GTMHH, a special edition of Vol.1, #3. It's one that you 
won't find anywhere on the Web, I think only Pete, Mr. 
Rootfest and I have copies of it. Anyhow, this smart move of 
Pete's has saved the planet from the live "how to hack" class I 
was going to teach at Rootfest. 


Intoxicated as I am by hacking, nowadays my spinning wheel 
sits gathering dust, and.a shirt I was sewing lies half-finished. 
I used to be such a swéet housewifey, I swear! You don't 
believe me? I have witnesses! I used to demonstrate wool 
carding at the New Mexico State Fair! I used to make gourmet 
goat cheese and station bouquets of cut flowers from my 
greenhouse in Martha-Stewart-approved locations about my 
home. : 


What caused my fall from the Better Homes and Gardens set? 
The sweet taste of being a meanie against the world's hairiest 
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hackers! 


Sooo, will the rampage of grannie hacker from heck ever end? 
My victims are trying to figure out how to defend themselves 
against me. Evil Pete told'the organizer of Rootfest that in self 
defense, my hacker victims have brought many lawsuits 
against me. Much more effective than a firewall, right? 
Especially against us Uberhacker grannies! 


Now, I haven't seen any of these lawsuits, but as we all know, 
hackers never lie. The suspense is getting to me. When will 
this army of lawyers my victims have marshalled actually 
materialize? Will they sue me into submission? How much 
more damage will I and my Happy Hacker 
(http://www.happyhacker.org) army of newbies do before 
lawyers save the world from my depredations? Stop me 
before I hack again! 


In the meantime, while waiting for the lawyers to save you, 
what can you do to keép me from making naughty body parts 
sprout on your Web site? Here are my top five suggestions: 


1) Buy my Happy Hacker ‘book. I don't rm the operating 
system of anyone who ‘buys my book, because after reading it 
you will know enough to protect yourself from me. Also, 
when you see me trying to secure shell into your ftp port, 
you'll know I'm just yanking your chain. 


2) Send me computer jokes. I'm.a sucker for them and will be 
too busy laughing and forwarding them to my friends to hack 
you. The following is an example of something that meets my 
laughability standards:. © 


An engineer, a systems analyst, and a programmer are driving 
down a mountain road when the brakes fail. They scream 
down the mountain gaining speed every second and 
screeching around comers. Finally they manage to stop, more 
by luck than by judgment, inches from a thousand foot drop to 
the jagged rocks on the'valley floor. More than slightly 
shaken, they emerge from the car. "I think I can fix it," says 
the engineer. The systems analyst says, "No, I think we 
should take it into town and have a specialist examine it." The 
programmer, holding his chin between thumb and forefinger 
says, "Okay, but first I think we should get back in and see if 
it does it again." 


3) Give me a 120 cubic meter Cameron hot air balloon with 
complete accessories, you know, stuff like a rate of 
ascent/descent meter, GPS, one ton king cab chase truck with 
Tommylift gate... I'll be so busy accidentally landing on the 
classified areas of Sandia Labs, Area 51 etc. that I'll retire my 


3 of 5 “6 oKe 2/25/99 2:44 PM 


AntiOnline, News: The Granny Hacker From Heck a .. ne&date=02-22-1999&story=granm.news 
yy , 


computers next to the spinning wheel and unfinished shirt. I 
can see it now, "Gosh, Colonel, you know how these balloons 


are, I got caught in a thermal and next thing I knew I was 
here:)" . 


4) After we had a fight, my ex-husband used thermite to melt 
down our 30 mm Finnish antitank gun. Gimme another one. 
With ammunition. Or else. 


5) Our church music director could use 50 copies of the score 
for Jesus Christ Superstar. If I can get some snivelling coward 
to give them to us in exchaiige for me promising not to hack 
him, maybe J can get to sing Mary Magdalene. If Lisa gets the 
part, I'll hack the church computer so Zippy the Pinheadisms 
creep into the bulletins. 


I guess that's enough extortionate demands. I gotta get back to 
sneaking Trojans into military computers so I can launch 
World War III while making it look like Y2K bugs so I won't 
get into trouble. As for those computer security professionals 
I've been fubaring, do you suppose I'll ever feel remorse? No 
way! If they want to call themselves computer security 
experts, they'd better be ready to take heat from the granny 
hacker from heck! 


Carolyn Meinel (cmeinel@techbroker.com) is a computer 
fubar expert and clown princess of the non-profit Happy 
Hacker, Inc. She lives in Cedar Crest, NM with her 
long-suffering hubby, four cats, three horses, three dogs, two 
toads and two mosquito fish. 


PS: The thing about the thermite is a slight exaggeration. 
Everything else is true -- remember, you read this on the 
Internet, so it must be true. Be sure to email a copy of this to 
Craig Shergold and everyone else your know and Bill Gates 
will give you $1000. Be sure to put "Good Times" in the 
subject. If you don't email this out within ten days, you will 
be cursed with seven years of bad luck and wake up in a 
bathtub full of ice with your kidneys missing. Honest! 
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